Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DETALLE DE CITACION FISCAL PENDIENTE.exe

Overview

General Information

Sample Name:DETALLE DE CITACION FISCAL PENDIENTE.exe
Analysis ID:399029
MD5:014700e8b066195a838cc64e2a92f8d2
SHA1:38df508905566b855bd05ad79adc09740807bac4
SHA256:09df870092fdf14100cf041139efcf165933d0d50c6ac8bf06fdf3116f63cfa2
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected AsyncRAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • DETALLE DE CITACION FISCAL PENDIENTE.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe' MD5: 014700E8B066195A838CC64E2A92F8D2)
    • powershell.exe (PID: 6888 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6948 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7048 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6352 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6212 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "fransiscolopesierraazul09.duckdns.org", "Ports": "1884", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "chrome.exe", "AES_key": "lgXmK2AdmNpdoXMEQOfnc9bPH6KQZTeV", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAK8zaZwRZ+fUWJcLHGATZzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwNTEyMTg0NTIwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMdIblOtWCpzNPqAOf1S+7vlC2kB/dxtq8f4H/YsqylaofoKNpxtFlRjT/B6NvNf7WO7iRO1Wv63pLuAvC5P0ASCzR8ElerFsCE5g4vSxLroVyS+ZJqHhABcS0k6Yr4Le74d21K5SHdVTUxNx4aMMPM7Wij7KSidRMxnrYj3GhtSugZrsKdiR8zctm3oYmjlaXhTufW7eKAXH+qv4GQ/KwbiftPX8oevKp4ZNkCNWTbBVQxaaGoxcumt55tpzFBJL3+IolneUn5nNR8Cq5kXaNZ0KmyrnI2wQZuEVRLNLuJ+IAvLYSk3a/tnXqj1idH7E5Y56T8jh1IBlI5fZUTd8itqy8Lg2yd7pXPwwNDfDCvsMNAgVQI9pfbFqFlxaH7UR3pfGm7JT8DGZtbdfkYfhzR4Ju4DiDzteiOGnBPRdgZgrCL5m7QLq7xsAALwj7TuKwKA6dCnJz3PEu27YTCL1O8jtDp70bdFhrdcyXL9KTfglnHB8lP15Kz8P8nRbF/g4BsdPsrTIZ/NYfQCxrXUtTQcveqFrFFqOhrE5aRF1pWeyIJ52Ka6xNRgPVASO1MTnL3yG8GKQjDnk4wIlm4uM3ufbAsbwOYfh2ll4KSXBDDgsOJpLz0timY1UFS6oXwIEslSEMcjF5OTILR1d4UtKwLVwmMbF5crW5ufUtt0vIbVAgMBAAGjMjAwMB0GA1UdDgQWBBShXknMhPHeKKrbZAXIhLhm8U3CjDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBcj5Aj1xn/V/dBNocX1bVrsvoaeWl7XLx8MqCzGUHDu3rRzi/BnmOlA++JvpUgrQVNo4gxbddI1fGD2cECn0dni1in5NpvczXK0VggYbY+R2QgGvlZkw6vZAPbvXjFib1B/aG5jozaGqzStpUvasLmQyOEq0x61QypqWhWzR92NHk2ENzVG2q0jPmDyCZok0fuVerklsjYBXx66+M29oJeJfJ3Br2etGOeIKaSpTXAxia7a2e2C/T55lj3dl5kRDwSR23BA4j0s4xBar58Pmck8RvdN/1aSoeijARmQj1HKNX0D0y99JowcvnHwCVdaKEVK9WDY3tFJ84bGlBtuNzU1fHxrQ2iw74ewmJHLJmTQAi/boMRZsci+acpLJ+w2YIozlxfbZefo99l5rx2pCmw9fYCVVyOxffsvVunJsgHZRh88Yr6oN4ScVjN/AUHrZh/MLULKD2n5TnBXWTa6fvOrZDTj/ZyLVhVSykMWRgRerOht4B2NtKV54iKTkdq8Jf6bIpgWhZ8M7YP/c/izEWivyFsU6Z9KILUphsp8MXfgmpmE9JOo1Ql2bd0zdq27yRbMQcXETY8/+hLdwLlfPGZPgbIaz1GCfR5bCTqGAnA/nyaIV3Af123SOhVLqiShrFxc6bHJDcQ/XVyHR11wFtdoPfND62mjIV92DS8rq+Ujw==", "ServerSignature": "Pw96XxaDe2x7HSuJBGLyoPxR1knhEb1jaQuRXy8hfmSJ2KptZyjGa/SxfuATWiNGvk77/3yI5i0mB1KdcWJnYHDU1nnQN34n2zEt0IMI/nXuc/S68k0gL5VKXrgg+zszCWE1YIdExcnW/m8Toda0pFNAf86GXcFYzruiWS3HXJaBB3fT4cw0JLvaa5RoJNKInCOY2WQGMN5T+69azKJDeP7fS3yVIzsrBEp0+64Toocj1lynO9Bbzo5r2Gj8m9ERMbbjIuGXvhd8tlueqpVT0+dvf3cj3v5C/Uoeg2lpnGiJiIOD7vgbQBFq9wXf+blQEi0SofZMe6jX3NlGVcdWTPD4jVToiv20Z17G+LnXSXcsGaiARuMiJLVkpJhUR80EEBTPDFwpfo2Und5u+tTD8Xmdg7Rmz4029KmpGImLf4byk0aXckpNUF1oHsdnBWFgfn/C/uAf6fv1xpa5M1sq4Bl6wdPkzFSR0nbWtPK2cfwh8aRF9Cm/OGMy83Ne2REbs7oEjnfm9tlELIketDhDKpkzsL/bPZvnFHzQCSvb3BFg8iRs0hdZYIbjGLGI8j9M8PovRuq+V3s53BI0cV76TK7CtZhjXcB9rYGRQHXVlxffAInM8qgh8/HcXVc+M8O9apuMdNrh5eewNv49Nlh7wlHA9oPNvAYJ+Q5JaNJSnXM=", "Group": "Default"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000002.301037988.0000000002E9C000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                    0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe' , ParentImage: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe, ParentProcessId: 6304, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp', ProcessId: 7048

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "fransiscolopesierraazul09.duckdns.org", "Ports": "1884", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "chrome.exe", "AES_key": "lgXmK2AdmNpdoXMEQOfnc9bPH6KQZTeV", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAK8zaZwRZ+fUWJcLHGATZzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjAwNTEyMTg0NTIwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMdIblOtWCpzNPqAOf1S+7vlC2kB/dxtq8f4H/YsqylaofoKNpxtFlRjT/B6NvNf7WO7iRO1Wv63pLuAvC5P0ASCzR8ElerFsCE5g4vSxLroVyS+ZJqHhABcS0k6Yr4Le74d21K5SHdVTUxNx4aMMPM7Wij7KSidRMxnrYj3GhtSugZrsKdiR8zctm3oYmjlaXhTufW7eKAXH+qv4GQ/KwbiftPX8oevKp4ZNkCNWTbBVQxaaGoxcumt55tpzFBJL3+IolneUn5nNR8Cq5kXaNZ0KmyrnI2wQZuEVRLNLuJ+IAvLYSk3a/tnXqj1idH7E5Y56T8jh1IBlI5fZUTd8itqy8Lg2yd7pXPwwNDfDCvsMNAgVQI9pfbFqFlxaH7UR3pfGm7JT8DGZtbdfkYfhzR4Ju4DiDzteiOGnBPRdgZgrCL5m7QLq7xsAALwj7TuKwKA6dCnJz3PEu27YTCL1O8jtDp70bdFhrdcyXL9KTfglnHB8lP15Kz8P8nRbF/g4BsdPsrTIZ/NYfQCxrXUtTQcveqFrFFqOhrE5aRF1pWeyIJ52Ka6xNRgPVASO1MTnL3yG8GKQjDnk4wIlm4uM3ufbAsbwOYfh2ll4KSXBDDgsOJpLz0timY1UFS6oXwIEslSEMcjF5OTILR1d4UtKwLVwmMbF5crW5ufUtt0vIbVAgMBAAGjMjAwMB0GA1UdDgQWBBShXknMhPHeKKrbZAXIhLhm8U3CjDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBcj5Aj1xn/V/dBNocX1bVrsvoaeWl7XLx8MqCzGUHDu3rRzi/BnmOlA++JvpUgrQVNo4gxbddI1fGD2cECn0dni1in5NpvczXK0VggYbY+R2QgGvlZkw6vZAPbvXjFib1B/aG5jozaGqzStpUvasLmQyOEq0x61QypqWhWzR92NHk2ENzVG2q0jPmDyCZok0fuVerklsjYBXx66+M29oJeJfJ3Br2etGOeIKaSpTXAxia7a2e2C/T55lj3dl5kRDwSR23BA4j0s4xBar58Pmck8RvdN/1aSoeijARmQj1HKNX0D0y99JowcvnHwCVdaKEVK9WDY3tFJ84bGlBtuNzU1fHxrQ2iw74ewmJHLJmTQAi/boMRZsci+acpLJ+w2YIozlxfbZefo99l5rx2pCmw9fYCVVyOxffsvVunJsgHZRh88Yr6oN4ScVjN/AUHrZh/MLULKD2n5TnBXWTa6fvOrZDTj/ZyLVhVSykMWRgRerOht4B2NtKV54iKTkdq8Jf6bIpgWhZ8M7YP/c/izEWivyFsU6Z9KILUphsp8MXfgmpmE9JOo1Ql2bd0zdq27yRbMQcXETY8/+hLdwLlfPGZPgbIaz1GCfR5bCTqGAnA/nyaIV3Af123SOhVLqiShrFxc6bHJDcQ/XVyHR11wFtdoPfND62mjIV92DS8rq+Ujw==", "ServerSignature": "Pw96XxaDe2x7HSuJBGLyoPxR1knhEb1jaQuRXy8hfmSJ2KptZyjGa/SxfuATWiNGvk77/3yI5i0mB1KdcWJnYHDU1nnQN34n2zEt0IMI/nXuc/S68k0gL5VKXrgg+zszCWE1YIdExcnW/m8Toda0pFNAf86GXcFYzruiWS3HXJaBB3fT4cw0JLvaa5RoJNKInCOY2WQGMN5T+69azKJDeP7fS3yVIzsrBEp0+64Toocj1lynO9Bbzo5r2Gj8m9ERMbbjIuGXvhd8tlueqpVT0+dvf3cj3v5C/Uoeg2lpnGiJiIOD7vgbQBFq9wXf+blQEi0SofZMe6jX3NlGVcdWTPD4jVToiv20Z17G+LnXSXcsGaiARuMiJLVkpJhUR80EEBTPDFwpfo2Und5u+tTD8Xmdg7Rmz4029KmpGImLf4byk0aXckpNUF1oHsdnBWFgfn/C/uAf6fv1xpa5M1sq4Bl6wdPkzFSR0nbWtPK2cfwh8aRF9Cm/OGMy83Ne2REbs7oEjnfm9tlELIketDhDKpkzsL/bPZvnFHzQCSvb3BFg8iRs0hdZYIbjGLGI8j9M8PovRuq+V3s53BI0cV76TK7CtZhjXcB9rYGRQHXVlxffAInM8qgh8/HcXVc+M8O9apuMdNrh5eewNv49Nlh7wlHA9oPNvAYJ+Q5JaNJSnXM=", "Group": "Default"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exeReversingLabs: Detection: 34%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeVirustotal: Detection: 39%Perma Link
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeReversingLabs: Detection: 34%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeJoe Sandbox ML: detected
                      Source: 17.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 201.219.204.73:1884 -> 192.168.2.5:49715
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: fransiscolopesierraazul09.duckdns.org
                      Uses dynamic DNS servicesShow sources
                      Source: unknownDNS query: name: fransiscolopesierraazul09.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.5:49715 -> 201.219.204.73:1884
                      Source: unknownDNS traffic detected: queries for: fransiscolopesierraazul09.duckdns.org
                      Source: powershell.exe, 00000006.00000002.438960521.0000000002C76000.00000004.00000020.sdmp, RegSvcs.exe, 00000011.00000002.535454436.0000000001828000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 0000000E.00000003.433007455.0000000009A1A000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.
                      Source: RegSvcs.exe, 00000011.00000002.535097444.00000000017C4000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: RegSvcs.exe, 00000011.00000002.535454436.0000000001828000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.17.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: RegSvcs.exe, 00000011.00000003.317518074.00000000059E1000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabE
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.267795283.000000000149D000.00000004.00000001.sdmpString found in binary or memory: http://en.wL
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: powershell.exe, 00000006.00000003.403441933.0000000007A58000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.410874673.000000000827B000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.440969339.0000000004831000.00000004.00000001.sdmp, RegSvcs.exe, 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000006.00000003.403441933.0000000007A58000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.410874673.000000000827B000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.274703851.0000000005D5D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersQ2
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.308896483.0000000005D50000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.308896483.0000000005D50000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268253013.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268314785.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com$Y
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268314785.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comQY
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268314785.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcCY
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270034154.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270261935.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270019452.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-dS
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270019452.0000000005D8D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz_%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verd
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0I
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268253013.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com_Bz(
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268253013.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.269458879.0000000005D59000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.269458879.0000000005D59000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krA9
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268615371.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com-Y
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268587606.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comcI
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.269188528.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268615371.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnQY
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268562061.0000000005D6B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comzY
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: powershell.exe, 00000006.00000003.403441933.0000000007A58000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.410874673.000000000827B000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000006.00000003.407431731.0000000005360000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.412901050.0000000004EE7000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.421567427.000000000590C000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301037988.0000000002E9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6212, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DETALLE DE CITACION FISCAL PENDIENTE.exe PID: 6304, type: MEMORY
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeCode function: 0_2_0147C2B00_2_0147C2B0
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeCode function: 0_2_014799900_2_01479990
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0174953017_2_01749530
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0174D5E017_2_0174D5E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_01748C6017_2_01748C60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0174F29817_2_0174F298
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_0174891817_2_01748918
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.293215604.00000000009DA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTokenListCount.exej% vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.322043279.000000000DAC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.322993718.000000000DBC0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.322993718.000000000DBC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.318436307.0000000007690000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeBinary or memory string: OriginalFilenameTokenListCount.exej% vs DETALLE DE CITACION FISCAL PENDIENTE.exe
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PZiCrodPdRhuJR.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: PZiCrodPdRhuJR.exe.0.dr, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: PZiCrodPdRhuJR.exe.0.dr, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.DETALLE DE CITACION FISCAL PENDIENTE.exe.910000.0.unpack, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.0.DETALLE DE CITACION FISCAL PENDIENTE.exe.910000.0.unpack, CustomCrypt.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/20@1/1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile created: C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_01
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMutant created: \Sessions\1\BaseNamedObjects\yYDdTnLvJsPSJaGTuEoCj
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1D6B.tmpJump to behavior
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000000.263855744.0000000000912000.00000002.00020000.sdmpBinary or memory string: SELECT DATE(C.`date_created`) AS `DATE`,i.name AS `INSTITUTION NAME`, b.`BranchName` AS `BRANCH`, coltrs.`name` AS `COLLECTOR NAME`, c.id AS `CUSTOMER ID`, c.`name` AS `CUSTOMER FULL NAME`, c.`first_name` AS `FIRST NAME`, c.`last_name` AS `LAST NAME`,C.`email` AS `EMAIL`, C.`phone` AS `PHONE NUMBER`, C.`gender` AS `GENDER`, C.`address` AS `ADDRESS`, c.`id_type` AS `ID TYPE`, c.`card_no` AS `ID NUMBER`, c.`account_type` AS `ACCOUNT TYPE`,c.`account_no` AS `ACCOUNT NUMBER`,c.`balance` AS `BALANCE`,c.`status` AS `STATUS` FROM customers c INNER JOIN institutions i ON c.institution_id = i.id INNER JOIN branch b ON c.`Branchid`=b.`id` INNER JOIN collectors coltrs ON c.`collector_id`=coltrs.`id` INNER JOIN customers ctmrs ON c.`customer_id`=ctmrs.`id` WHERE A ORDER BY `CUSTOMER FULL NAME`eExcel files (*.xlsx)|*.xlsx|XLS Files (*.xls)|*xls]Provider=Microsoft.ACE.OLEDB.12.0;Data Source=A;Extended Properties=Excel 12.0;/Select * From [Sheet1$]
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeVirustotal: Detection: 39%
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeReversingLabs: Detection: 34%
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile read: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, My/Resources/Resources.cs.Net Code: get__1ECCA08C2C988543629CC5AC5E4B3BB578726F80A17EB21483_pimgpsh_fullsize_distr contains xor as well as GetObject
                      Source: PZiCrodPdRhuJR.exe.0.dr, My/Resources/Resources.cs.Net Code: get__1ECCA08C2C988543629CC5AC5E4B3BB578726F80A17EB21483_pimgpsh_fullsize_distr contains xor as well as GetObject
                      Source: 0.0.DETALLE DE CITACION FISCAL PENDIENTE.exe.910000.0.unpack, My/Resources/Resources.cs.Net Code: get__1ECCA08C2C988543629CC5AC5E4B3BB578726F80A17EB21483_pimgpsh_fullsize_distr contains xor as well as GetObject
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.5949673099
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.5949673099
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile created: C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301037988.0000000002E9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6212, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DETALLE DE CITACION FISCAL PENDIENTE.exe PID: 6304, type: MEMORY
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.unpack, type: UNPACKEDPE
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DETALLE DE CITACION FISCAL PENDIENTE.exe PID: 6304, type: MEMORY
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpack, type: UNPACKEDPE
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301037988.0000000002E9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6212, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DETALLE DE CITACION FISCAL PENDIENTE.exe PID: 6304, type: MEMORY
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.unpack, type: UNPACKEDPE
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmp, RegSvcs.exe, 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4215Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2825Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4427Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2513Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3793
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2885
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 918
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8807
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe TID: 6308Thread sleep time: -100037s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe TID: 6336Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5184Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6316Thread sleep count: 4427 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6316Thread sleep count: 2513 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1112Thread sleep count: 56 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1752Thread sleep count: 3793 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6092Thread sleep count: 86 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5616Thread sleep count: 2885 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5204Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeThread delayed: delay time: 100037Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: powershell.exe, 00000006.00000003.406991417.000000000526D000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.412090639.0000000004DF4000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.420568805.000000000581B000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: RegSvcs.exe, 00000011.00000002.542091067.0000000006020000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: RegSvcs.exe, 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmpBinary or memory string: vmware
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: RegSvcs.exe, 00000011.00000003.449926301.0000000005A26000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 00000011.00000002.542091067.0000000006020000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: RegSvcs.exe, 00000011.00000002.542091067.0000000006020000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: RegSvcs.exe, 00000011.00000002.535382537.0000000001814000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW]
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: powershell.exe, 00000006.00000003.406991417.000000000526D000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.412090639.0000000004DF4000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.420568805.000000000581B000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: RegSvcs.exe, 00000011.00000002.542091067.0000000006020000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Adds a directory exclusion to Windows DefenderShow sources
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'Jump to behavior
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10DC008Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: RegSvcs.exe, 00000011.00000002.535454436.0000000001828000.00000004.00000020.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000011.00000002.535994908.0000000001E50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000011.00000002.535994908.0000000001E50000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000011.00000002.535994908.0000000001E50000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                      Source: RegSvcs.exe, 00000011.00000002.535994908.0000000001E50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: RegSvcs.exe, 00000011.00000002.535994908.0000000001E50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.301037988.0000000002E9C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6212, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DETALLE DE CITACION FISCAL PENDIENTE.exe PID: 6304, type: MEMORY
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2eec7cc.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e6f7e8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.unpack, type: UNPACKEDPE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job2Process Injection312Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job2Boot or Logon Initialization ScriptsScheduled Task/Job2Disable or Modify Tools11LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information11Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 399029 Sample: DETALLE DE CITACION FISCAL ... Startdate: 28/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 12 other signatures 2->42 7 DETALLE DE CITACION FISCAL PENDIENTE.exe 7 2->7         started        process3 file4 28 C:\Users\user\AppData\...\PZiCrodPdRhuJR.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmp1D6B.tmp, XML 7->30 dropped 32 DETALLE DE CITACIO...L PENDIENTE.exe.log, ASCII 7->32 dropped 44 Writes to foreign memory regions 7->44 46 Allocates memory in foreign processes 7->46 48 Adds a directory exclusion to Windows Defender 7->48 50 Injects a PE file into a foreign processes 7->50 11 RegSvcs.exe 7->11         started        14 powershell.exe 23 7->14         started        16 powershell.exe 26 7->16         started        18 2 other processes 7->18 signatures5 process6 dnsIp7 34 fransiscolopesierraazul09.duckdns.org 201.219.204.73, 1884, 49715 ITELKOMCO Colombia 11->34 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 18->26         started        process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DETALLE DE CITACION FISCAL PENDIENTE.exe40%VirustotalBrowse
                      DETALLE DE CITACION FISCAL PENDIENTE.exe34%ReversingLabsByteCode-MSIL.Backdoor.Crysen
                      DETALLE DE CITACION FISCAL PENDIENTE.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe34%ReversingLabsByteCode-MSIL.Backdoor.Crysen

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      17.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      0.2.DETALLE DE CITACION FISCAL PENDIENTE.exe.2e85b00.2.unpack100%AviraHEUR/AGEN.1110362Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.fontbureau.comT%0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com_Bz(0%Avira URL Cloudsafe
                      http://www.tiro.comcI0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://en.wL0%Avira URL Cloudsafe
                      http://www.tiro.com-Y0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comn-u0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/1%0%Avira URL Cloudsafe
                      http://www.fonts.comcCY0%Avira URL Cloudsafe
                      http://www.fonts.com$Y0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/-cz_%0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Verd0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/B%0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/M%0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cnl-g0%Avira URL Cloudsafe
                      http://www.tiro.comnQY0%Avira URL Cloudsafe
                      http://www.fontbureau.comB.TTF0%URL Reputationsafe
                      http://www.fontbureau.comB.TTF0%URL Reputationsafe
                      http://www.fontbureau.comB.TTF0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.fonts.comQY0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Y0I0%Avira URL Cloudsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      http://www.tiro.comn0%URL Reputationsafe
                      http://www.tiro.comn0%URL Reputationsafe
                      http://www.tiro.comn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/T%0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://crl.microsoft.0%URL Reputationsafe
                      http://crl.microsoft.0%URL Reputationsafe
                      http://crl.microsoft.0%URL Reputationsafe
                      http://www.sandoll.co.krA90%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      fransiscolopesierraazul09.duckdns.org0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cna-dS0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/p%0%Avira URL Cloudsafe
                      http://www.tiro.comzY0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      fransiscolopesierraazul09.duckdns.org
                      		201.219.204.73
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        fransiscolopesierraazul09.duckdns.orgtrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.fontbureau.comT%DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.308896483.0000000005D50000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.sajatypeworks.com_Bz(DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268253013.0000000005D6B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.tiro.comcIDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268587606.0000000005D6B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cn/bTheDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://en.wLDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.267795283.000000000149D000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                              		high
                              http://www.tiro.com-YDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268615371.0000000005D6B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comn-uDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268253013.0000000005D6B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/1%DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fonts.comcCYDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268314785.0000000005D6B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fonts.com$YDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268314785.0000000005D6B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.tiro.comDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersQ2DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.274703851.0000000005D5D000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/-cz_%DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.goodfont.co.krDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/VerdDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/B%DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/jp/M%DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sajatypeworks.comDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnl-gDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270019452.0000000005D8D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tiro.comnQYDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268615371.0000000005D6B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.comB.TTFDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.308896483.0000000005D50000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268253013.0000000005D6B000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.269458879.0000000005D59000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.440969339.0000000004831000.00000004.00000001.sdmp, RegSvcs.exe, 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sakkal.comDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comQYDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268314785.0000000005D6B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/Y0IDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000003.403441933.0000000007A58000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.410874673.000000000827B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000003.403441933.0000000007A58000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.410874673.000000000827B000.00000004.00000001.sdmpfalse
                                                		high
                                                https://go.micropowershell.exe, 00000006.00000003.407431731.0000000005360000.00000004.00000001.sdmp, powershell.exe, 00000009.00000003.412901050.0000000004EE7000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.421567427.000000000590C000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.tiro.comnDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.269188528.0000000005D6B000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/T%DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/jp/DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://crl.microsoft.powershell.exe, 0000000E.00000003.433007455.0000000009A1A000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sandoll.co.krA9DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.269458879.0000000005D59000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 00000006.00000003.403441933.0000000007A58000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.410874673.000000000827B000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.carterandcone.comlDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cn/DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270261935.0000000005D54000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlNDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cnDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270034154.0000000005D54000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/frere-jones.htmlDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cna-dSDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.270019452.0000000005D8D000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.443000438.0000000004971000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers8DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000002.309058356.0000000005E40000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/p%DETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.271573644.0000000005D54000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.tiro.comzYDETALLE DE CITACION FISCAL PENDIENTE.exe, 00000000.00000003.268562061.0000000005D6B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          201.219.204.73
                                                          		fransiscolopesierraazul09.duckdns.orgColombia
                                                          		262215ITELKOMCOtrue

                                                          General Information

                                                          Joe Sandbox Version:32.0.0 Black Diamond
                                                          Analysis ID:399029
                                                          Start date:28.04.2021
                                                          Start time:10:37:47
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 10m 55s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:DETALLE DE CITACION FISCAL PENDIENTE.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:24
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@15/20@1/1
                                                          EGA Information:
                                                          • Successful, ratio: 66.7%
                                                          HDC Information:
                                                          • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                                          • Quality average: 34.9%
                                                          • Quality standard deviation: 37.7%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 23
                                                          • Number of non-executed functions: 2
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 20.82.210.154, 131.253.33.200, 13.107.22.200, 93.184.220.29, 40.88.32.150, 104.43.139.144, 23.57.80.111, 92.122.145.220, 2.20.142.210, 2.20.142.209, 92.122.213.247, 92.122.213.194
                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                                          • Execution Graph export aborted for target powershell.exe, PID 6888 because it is empty
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          10:39:07API Interceptor1x Sleep call for process: DETALLE DE CITACION FISCAL PENDIENTE.exe modified
                                                          10:39:22API Interceptor1x Sleep call for process: RegSvcs.exe modified
                                                          10:39:51API Interceptor127x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          201.219.204.73F6gn1X8SAD.exeGet hashmaliciousBrowse
                                                            DGszkk90Jh.exeGet hashmaliciousBrowse
                                                              DETALLE DE PAGO DAVIVIENDA MOVIMIENTOS CUENTA DE AHORRO.exeGet hashmaliciousBrowse
                                                                KwN7KH4W1Z.exeGet hashmaliciousBrowse

                                                                  Domains

                                                                  No context

                                                                  ASN

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  ITELKOMCOF6gn1X8SAD.exeGet hashmaliciousBrowse
                                                                  • 201.219.204.73
                                                                  DGszkk90Jh.exeGet hashmaliciousBrowse
                                                                  • 201.219.204.73
                                                                  DETALLE DE PAGO DAVIVIENDA MOVIMIENTOS CUENTA DE AHORRO.exeGet hashmaliciousBrowse
                                                                  • 201.219.204.73
                                                                  KwN7KH4W1Z.exeGet hashmaliciousBrowse
                                                                  • 201.219.204.73

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                  Category:dropped
                                                                  Size (bytes):58596
                                                                  Entropy (8bit):7.995478615012125
                                                                  Encrypted:true
                                                                  SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                  MD5:61A03D15CF62612F50B74867090DBE79
                                                                  SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                  SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                  SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):326
                                                                  Entropy (8bit):3.100971109390519
                                                                  Encrypted:false
                                                                  SSDEEP:6:kK4QywTJ6YN+SkQlPlEGYRMY9z+4KlDA3RUe0ht:xywTJ6HkPlE99SNxAhUe0ht
                                                                  MD5:974DD4959CC6FF3F54025241ABA367CB
                                                                  SHA1:186DEA66C667F6B7B7B56F975FE53FBC1A580193
                                                                  SHA-256:1B533D24BF0BDD159D1A1291C0D6EC663B87C09C7009E71637CD04E4E3F0346B
                                                                  SHA-512:3FC81CF3730AB3E11BCF8BFEC0372E3571D8E3479343FDB99531FC457DD1881216733FBC6E543EAC5460BDF7D9202D5673C38F514EF4172C2C2D1D593221F8AB
                                                                  Malicious:false
                                                                  Preview: p...... .........c.lU<..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DETALLE DE CITACION FISCAL PENDIENTE.exe.log
                                                                  Process:C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):1314
                                                                  Entropy (8bit):5.350128552078965
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                  Malicious:true
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):14734
                                                                  Entropy (8bit):4.993014478972177
                                                                  Encrypted:false
                                                                  SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                  MD5:8D5E194411E038C060288366D6766D3D
                                                                  SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                  SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                  SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                  Malicious:false
                                                                  Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):22296
                                                                  Entropy (8bit):5.604837755234661
                                                                  Encrypted:false
                                                                  SSDEEP:384:LtCDtY2TXQ0tQnjXp3ASBKn+ultIyP7Y9gxSJUeRi1BMrmmZ1AV7QWUB64I+ipS:zSQj+4K+ulttrxXepf4ql
                                                                  MD5:D12DB0026405899348FE6E862464E916
                                                                  SHA1:7FC4E5701B2B686BBF6016C0BC47E8E385182CA1
                                                                  SHA-256:A293B28C794BA4BC4026052480A7E4B493754898EBED3F8C2CB2CDFDBD9F7189
                                                                  SHA-512:3BC2E6E595A58268D7C85486529F1075EBF726FD9C5A23B62C274FA10AA6CBC436DD77B6FA7ADC2BB4A5715257FF769FE0D998895F187B18229FD629772977AB
                                                                  Malicious:false
                                                                  Preview: @...e...........~.........L.....r.......g............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qgwrppf.5we.psm1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview: 1
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fxck1vd.mrq.ps1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview: 1
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fcpxrmj.vyv.psm1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview: 1
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_holcpc1l.qq5.psm1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview: 1
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqq3gdon.45k.ps1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview: 1
                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvz13qel.fej.ps1
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview: 1
                                                                  C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp
                                                                  Process:C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1651
                                                                  Entropy (8bit):5.17519337439159
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBFtn:cbhC7ZlNQF/rydbz9I3YODOLNdq35
                                                                  MD5:5411A97551FDBB41D65AC5BA90EE4F85
                                                                  SHA1:9B88BA8F5A5B93A6B362F9CACEE4AD7A7B51A5B0
                                                                  SHA-256:8F8E58BC789E18D99E5A733BEC4D6A6D2C6E83AC0795F90970DB244DEBB59382
                                                                  SHA-512:D39C7DBEA61088E13CECA3062E53F28EED20B96526942E1CAABF15FF0068CF244B680947891851DFE8DACB2273B5E7ECACD31CFF1306325E457F6F687F0A05B9
                                                                  Malicious:true
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                                  C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe
                                                                  Process:C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):818688
                                                                  Entropy (8bit):7.5851312661265515
                                                                  Encrypted:false
                                                                  SSDEEP:24576:EC+8h+RZdNltzKLGyIyUvxy3DAcPXDnq7U+:EC+8YZdNl3nDkrPzq7j
                                                                  MD5:014700E8B066195A838CC64E2A92F8D2
                                                                  SHA1:38DF508905566B855BD05AD79ADC09740807BAC4
                                                                  SHA-256:09DF870092FDF14100CF041139EFCF165933D0D50C6AC8BF06FDF3116F63CFA2
                                                                  SHA-512:13F8761B95A4A8C08B603369E8088908A1F2EE3F454F8DA97ECDBB7AA288D3C8872755B0E9833197C3554071380904B618F1F92579AF717E1B9D6BE841F39153
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 34%
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..`..............P..n............... ........@.. ....................................@.................................@...O.................................................................................... ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............|..............@..B................t.......H...........................P............................................0............(!...(".........(.....o#....*.....................($......(%......(&......('......((....*N..(....o....()....*&..(*....*.s+........s,........s-........s.........s/........*....0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*.0..<........~.....(5.....,!r...p.....(6...o7...s8............~.....+..*.0......
                                                                  C:\Users\user\Documents\20210428\PowerShell_transcript.642294.Ah7ouoWJ.20210428103911.txt
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):3541
                                                                  Entropy (8bit):5.367040208662519
                                                                  Encrypted:false
                                                                  SSDEEP:96:BZS/DN0rqDo1ZsJoZG/DN0rqDo1Z4q8390c390c390ZZ+:ChhV
                                                                  MD5:D37C979031A9B7E642D127CFC30A9ACF
                                                                  SHA1:69B0E454C95905EC3B84C7B08403FEE94FF85775
                                                                  SHA-256:EB3F1D44C785D8E47E3571A5FA523893712BAF4BF7FDC26FDBAB9147FFA3B1DA
                                                                  SHA-512:0D4DFACB9B64A6FC6820EEB9A651C33A4547DBA79FE44AECE0BE87FF1B1D5B7617A3779C362DD2042CB299408EF0891B276D6931E47DDBD2B55843BF445C0BFE
                                                                  Malicious:false
                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210428103935..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 642294 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe..Process ID: 6888..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210428103936..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe..**********************..Command start time: 20210428104242..**********************..PS>TerminatingError(Add-MpPref
                                                                  C:\Users\user\Documents\20210428\PowerShell_transcript.642294.VXmn7hiH.20210428103916.txt
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):5815
                                                                  Entropy (8bit):5.393021201250149
                                                                  Encrypted:false
                                                                  SSDEEP:96:BZy/DNIqDo1ZXZM/DNIqDo1ZyNvpXjZk/DNIqDo1ZOGHHlZQ:mQ
                                                                  MD5:D12E74ED5C308AD428D0627C4F18351B
                                                                  SHA1:6B0DAFC583D3330B9E74B00C35C6BDF1BA0CF1E2
                                                                  SHA-256:3A7E4495E7703F8610A5EBC6B9C518FF9C927905247BF8EDC9BB5D77A7D786DD
                                                                  SHA-512:84BA4FE9F65D6694B34398D96AC54A92AC659DC03C8D4DBCDFCEDB7D22FE2CBA5A80719945EFA17E92B22EBC3D99202C9D191DBD6E1264C73E2DC20A3661FF4F
                                                                  Malicious:false
                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210428103944..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 642294 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe..Process ID: 6352..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210428103945..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe..**********************..Windows PowerShell transcript start..Start time: 20210428104709..Username: computer\user..RunAs User: DESKTOP
                                                                  C:\Users\user\Documents\20210428\PowerShell_transcript.642294.k5Ju8gw8.20210428103912.txt
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):5815
                                                                  Entropy (8bit):5.396674026375125
                                                                  Encrypted:false
                                                                  SSDEEP:96:BZu/DNbqDo1ZeZ3/DNbqDo1ZtvpXjZD/DNbqDo1ZVGHH+ZF:f
                                                                  MD5:2423274B9816407A1DDF0F586D6DA651
                                                                  SHA1:7D77A3166EAED3AF89C9F3E2E32BF83E45825C35
                                                                  SHA-256:55686A811D72D90388A427651E97C666B3C71537E7B1DBBC3EADA2B29464A943
                                                                  SHA-512:EDBE158271A8B8C6904D803287CE81988A4AB9D678CDE1A8460C9894E5A901ED6340E5B6F70618BC612037DC68219E439EC7C123684D290016677FEEC09F4FED
                                                                  Malicious:false
                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210428103939..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 642294 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe..Process ID: 6948..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210428103940..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe..**********************..Windows PowerShell transcript start..Start time: 20210428104649..Username: computer\user..RunAs User: DESKTOP

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.5851312661265515
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  File name:DETALLE DE CITACION FISCAL PENDIENTE.exe
                                                                  File size:818688
                                                                  MD5:014700e8b066195a838cc64e2a92f8d2
                                                                  SHA1:38df508905566b855bd05ad79adc09740807bac4
                                                                  SHA256:09df870092fdf14100cf041139efcf165933d0d50c6ac8bf06fdf3116f63cfa2
                                                                  SHA512:13f8761b95a4a8c08b603369e8088908a1f2ee3f454f8da97ecdbb7aa288d3c8872755b0e9833197c3554071380904b618f1f92579af717e1b9d6be841f39153
                                                                  SSDEEP:24576:EC+8h+RZdNltzKLGyIyUvxy3DAcPXDnq7U+:EC+8YZdNl3nDkrPzq7j
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..`..............P..n............... ........@.. ....................................@................................

                                                                  File Icon

                                                                  Icon Hash:c9d4c4c5a6a8cec6

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4c8c92
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x6088193D [Tue Apr 27 14:01:33 2021 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc8c400x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000xac8.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xc6c980xc6e00False0.77676800165data7.5949673099IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xca0000xac80xc00False0.408854166667data4.63887268122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xcc0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0xca1300x2e8data
                                                                  RT_GROUP_ICON0xca4180x14data
                                                                  RT_VERSION0xca42c0x4b0data
                                                                  RT_MANIFEST0xca8dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Version Infos

                                                                  DescriptionData
                                                                  Translation0x0000 0x04b0
                                                                  LegalCopyright52d138b0 cce0 4d4b b262 83aa7bde61a9
                                                                  Assembly Version41.0.0.41
                                                                  InternalNameTokenListCount.exe
                                                                  FileVersion41.0.0.73
                                                                  CompanyName83a46845 d9a7 4f91 906f 12707b19bf54
                                                                  LegalTrademarkseb2796f3 e8b0 46d2 97eb 96fc424ee6f8
                                                                  Commentsd1c1ee2d f6bf 4a44 ae82 873525233ccb
                                                                  ProductNamed2d57541 fbf5 4acc 98a1 50b48ae09692
                                                                  ProductVersion41.0.0.73
                                                                  FileDescription2e1378c9 8bd2 4a93 8cbe 3bc4511cd1a7
                                                                  OriginalFilenameTokenListCount.exe

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  04/28/21-10:39:21.487967TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)188449715201.219.204.73192.168.2.5

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 28, 2021 10:39:21.002149105 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:21.185781002 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:21.186016083 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:21.292308092 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:21.487967014 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:21.488014936 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:21.489115953 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:21.494424105 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:21.680649042 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:21.793329000 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:29.062390089 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:29.284570932 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:29.284637928 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:29.508277893 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:34.440227032 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:34.489928007 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:34.676727057 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:34.724317074 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:40.640461922 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:40.864931107 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:40.866465092 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:41.054549932 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:41.099844933 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:41.283974886 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:41.334357977 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:42.112483978 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:42.340358019 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:42.341054916 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:42.568574905 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:51.988897085 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:52.212215900 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:52.212315083 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:52.396419048 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:52.444538116 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:52.632548094 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:52.678972960 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:52.949981928 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:53.181751966 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:39:53.181898117 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:39:53.404268980 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:03.358412027 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:03.584579945 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:03.584681034 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:03.769397974 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:03.820544004 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:04.011178017 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:04.054908037 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:04.249269009 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:04.439033985 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:04.439160109 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:04.638633013 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:04.679915905 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:14.666959047 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:14.893536091 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:14.893644094 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:15.082566977 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:15.133939028 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:15.319277048 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:15.368283033 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:15.369270086 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:15.594129086 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:15.594214916 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:15.818017960 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:26.154514074 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:26.381292105 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:26.381427050 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:26.566534996 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:26.619256973 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:26.804436922 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:26.853632927 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:26.859982967 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:27.088164091 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:27.088289022 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:27.311574936 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:34.438258886 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:34.479288101 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:34.661559105 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:34.713737965 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:37.366867065 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:37.594846964 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:37.594952106 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:37.780128956 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:37.823297024 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:38.007803917 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:38.057707071 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:38.084089041 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:38.306458950 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:38.306701899 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:38.529984951 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:48.744968891 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:48.968904972 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:48.969048977 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:49.153701067 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:49.199201107 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:49.385545015 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:49.433785915 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:49.435580969 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:49.659104109 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:40:49.659213066 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:40:49.881604910 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:00.130744934 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:00.357223034 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:00.357359886 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:00.541043997 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:00.590862036 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:00.775069952 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:00.825184107 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:00.867774963 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:01.092819929 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:01.092962980 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:01.319310904 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:04.443120003 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:04.497400045 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:04.682009935 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:04.731869936 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:11.421186924 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:11.651683092 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:11.651808023 CEST497151884192.168.2.5201.219.204.73
                                                                  Apr 28, 2021 10:41:11.836951017 CEST188449715201.219.204.73192.168.2.5
                                                                  Apr 28, 2021 10:41:11.888622046 CEST497151884192.168.2.5201.219.204.73

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 28, 2021 10:38:38.774142027 CEST5430253192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:38.827656984 CEST53543028.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:38.856600046 CEST5378453192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:38.914215088 CEST53537848.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:38.915728092 CEST6530753192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:38.964415073 CEST53653078.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:39.102309942 CEST6434453192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:39.107074022 CEST6206053192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:39.140614986 CEST6180553192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:39.150928974 CEST53643448.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:39.155838966 CEST53620608.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:39.192203045 CEST53618058.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:40.085311890 CEST5479553192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:40.135590076 CEST53547958.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:40.881817102 CEST4955753192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:40.930430889 CEST53495578.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:41.726582050 CEST6173353192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:41.778508902 CEST53617338.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:42.625190020 CEST6544753192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:42.687140942 CEST53654478.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:56.575125933 CEST5244153192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:56.626790047 CEST53524418.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:38:58.631362915 CEST6217653192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:38:58.718004942 CEST53621768.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:03.514292002 CEST5959653192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:03.563723087 CEST53595968.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:07.223954916 CEST6529653192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:07.278121948 CEST53652968.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:08.310923100 CEST6318353192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:08.363455057 CEST53631838.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:09.541568995 CEST6015153192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:09.590523005 CEST53601518.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:10.711149931 CEST5696953192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:10.777645111 CEST53569698.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:17.105972052 CEST5516153192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:17.178495884 CEST53551618.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:20.578572035 CEST5475753192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:20.630148888 CEST53547578.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:20.736519098 CEST4999253192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:20.961771965 CEST53499928.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:22.766669989 CEST6007553192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:22.831638098 CEST53600758.8.8.8192.168.2.5
                                                                  Apr 28, 2021 10:39:35.913125992 CEST5501653192.168.2.58.8.8.8
                                                                  Apr 28, 2021 10:39:35.973987103 CEST53550168.8.8.8192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Apr 28, 2021 10:39:20.736519098 CEST192.168.2.58.8.8.80x66bdStandard query (0)fransiscolopesierraazul09.duckdns.orgA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Apr 28, 2021 10:39:20.961771965 CEST8.8.8.8192.168.2.50x66bdNo error (0)fransiscolopesierraazul09.duckdns.org201.219.204.73A (IP address)IN (0x0001)

                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: DETALLE DE CITACION FISCAL PENDIENTE.exe PID: 6304 Parent PID: 5676

                                                                  General

                                                                  Start time:10:38:58
                                                                  Start date:28/04/2021
                                                                  Path:C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'
                                                                  Imagebase:0x910000
                                                                  File size:818688 bytes
                                                                  MD5 hash:014700E8B066195A838CC64E2A92F8D2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.301328800.0000000002EE8000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.301037988.0000000002E9C000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.299299921.0000000002E41000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: powershell.exe PID: 6888 Parent PID: 6304

                                                                  General

                                                                  Start time:10:39:09
                                                                  Start date:28/04/2021
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DETALLE DE CITACION FISCAL PENDIENTE.exe'
                                                                  Imagebase:0xa00000
                                                                  File size:430592 bytes
                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 6928 Parent PID: 6888

                                                                  General

                                                                  Start time:10:39:09
                                                                  Start date:28/04/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff797770000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: powershell.exe PID: 6948 Parent PID: 6304

                                                                  General

                                                                  Start time:10:39:09
                                                                  Start date:28/04/2021
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'
                                                                  Imagebase:0xa00000
                                                                  File size:430592 bytes
                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 7040 Parent PID: 6948

                                                                  General

                                                                  Start time:10:39:10
                                                                  Start date:28/04/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: schtasks.exe PID: 7048 Parent PID: 6304

                                                                  General

                                                                  Start time:10:39:10
                                                                  Start date:28/04/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PZiCrodPdRhuJR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1D6B.tmp'
                                                                  Imagebase:0x810000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 7112 Parent PID: 7048

                                                                  General

                                                                  Start time:10:39:10
                                                                  Start date:28/04/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: powershell.exe PID: 6352 Parent PID: 6304

                                                                  General

                                                                  Start time:10:39:11
                                                                  Start date:28/04/2021
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\PZiCrodPdRhuJR.exe'
                                                                  Imagebase:0xa00000
                                                                  File size:430592 bytes
                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 6200 Parent PID: 6352

                                                                  General

                                                                  Start time:10:39:12
                                                                  Start date:28/04/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7ecfc0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: RegSvcs.exe PID: 6212 Parent PID: 6304

                                                                  General

                                                                  Start time:10:39:11
                                                                  Start date:28/04/2021
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                  Imagebase:0xff0000
                                                                  File size:45152 bytes
                                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000002.531425965.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000011.00000002.536465518.0000000003521000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: DETALLE DE CITACION FISCAL PENDIENTE.exe PID: 6304 Parent PID: 5676 DETALLE DE CITACION FISCAL PENDIENTE.exeCOMMON

                                                                    Execution Graph

                                                                    Execution Coverage:9.9%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:71
                                                                    Total number of Limit Nodes:5

                                                                    Graph

                                                                    execution_graph 14593 147dec0 SetWindowLongW 14594 147df2c 14593->14594 14595 14763b0 14596 14763c0 14595->14596 14600 14764d7 14596->14600 14605 1476410 14596->14605 14597 14763d1 14601 14764dc 14600->14601 14602 1476541 14601->14602 14610 1476a70 14601->14610 14614 1476a80 14601->14614 14602->14597 14606 147644a 14605->14606 14607 1476541 14606->14607 14608 1476a70 2 API calls 14606->14608 14609 1476a80 2 API calls 14606->14609 14607->14597 14608->14607 14609->14607 14611 1476a80 14610->14611 14612 1476ac7 14611->14612 14618 1476890 14611->14618 14612->14602 14615 1476a8d 14614->14615 14616 1476ac7 14615->14616 14617 1476890 2 API calls 14615->14617 14616->14602 14617->14616 14619 147689b 14618->14619 14621 14773b8 14619->14621 14622 1476984 14619->14622 14621->14621 14623 147698f 14622->14623 14627 147b830 14623->14627 14632 147b818 14623->14632 14624 1477460 14624->14621 14628 147b832 14627->14628 14629 147b86d 14628->14629 14637 147bb68 14628->14637 14641 147bb78 14628->14641 14629->14624 14634 147b830 14632->14634 14633 147b86d 14633->14624 14634->14633 14635 147bb68 2 API calls 14634->14635 14636 147bb78 2 API calls 14634->14636 14635->14633 14636->14633 14638 147bb78 14637->14638 14644 147bbb8 14638->14644 14639 147bb82 14639->14629 14643 147bbb8 2 API calls 14641->14643 14642 147bb82 14642->14629 14643->14642 14645 147bbdb 14644->14645 14646 147bbf3 14645->14646 14652 147be40 14645->14652 14656 147be50 14645->14656 14646->14639 14647 147bdf0 GetModuleHandleW 14649 147be1d 14647->14649 14648 147bbeb 14648->14646 14648->14647 14649->14639 14653 147be50 14652->14653 14655 147be89 14653->14655 14660 147b0d8 14653->14660 14655->14648 14657 147be64 14656->14657 14658 147b0d8 LoadLibraryExW 14657->14658 14659 147be89 14657->14659 14658->14659 14659->14648 14661 147c030 LoadLibraryExW 14660->14661 14663 147c0a9 14661->14663 14663->14655 14664 147dc78 14665 147dce0 CreateWindowExW 14664->14665 14667 147dd9c 14665->14667 14667->14667 14668 1476b98 GetCurrentProcess 14669 1476c12 GetCurrentThread 14668->14669 14670 1476c0b 14668->14670 14671 1476c4f GetCurrentProcess 14669->14671 14672 1476c48 14669->14672 14670->14669 14673 1476c85 14671->14673 14672->14671 14677 1476d49 14673->14677 14674 1476cad GetCurrentThreadId 14675 1476cde 14674->14675 14678 1476d52 14677->14678 14679 1476dba DuplicateHandle 14677->14679 14678->14674 14681 1476e56 14679->14681 14681->14674

                                                                    Executed Functions

                                                                    Function 01476B88, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 01476BF8
                                                                    • GetCurrentThread.KERNEL32 ref: 01476C35
                                                                    • GetCurrentProcess.KERNEL32 ref: 01476C72
                                                                    • GetCurrentThreadId.KERNEL32 ref: 01476CCB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: c554e7845fcf137567a8aaa1b4a6c8ff503b0349407d9c3550282212ef05ea03
                                                                    • Instruction ID: 5c06c1650bcde26f3a2f0f9942c9105d86e7ab119cf67965b31711a915a666e2
                                                                    • Opcode Fuzzy Hash: c554e7845fcf137567a8aaa1b4a6c8ff503b0349407d9c3550282212ef05ea03
                                                                    • Instruction Fuzzy Hash: 6D5186B49006488FEB14CFAAD6487DEBFF1EF49314F24805AE549B72A0D7B49884CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01476B98, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 01476BF8
                                                                    • GetCurrentThread.KERNEL32 ref: 01476C35
                                                                    • GetCurrentProcess.KERNEL32 ref: 01476C72
                                                                    • GetCurrentThreadId.KERNEL32 ref: 01476CCB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 7d2c9f3909caf4cdaf4a9f8fe5bea723ed80b73dec0d795eba0433ba4f8e3d8a
                                                                    • Instruction ID: 45e6fb866eea212509841923e04aaf9d08a5794da9fc8ab0587555dee1b03214
                                                                    • Opcode Fuzzy Hash: 7d2c9f3909caf4cdaf4a9f8fe5bea723ed80b73dec0d795eba0433ba4f8e3d8a
                                                                    • Instruction Fuzzy Hash: DD5166B49006488FEB14CFAAD6487DEBBF1EB49314F20801AE559B73A0D7B49884CF65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0147BBB8, Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 39 147bbb8-147bbdd call 147b080 42 147bbf3-147bbf7 39->42 43 147bbdf 39->43 44 147bc0b-147bc4c 42->44 45 147bbf9-147bc03 42->45 93 147bbe5 call 147be40 43->93 94 147bbe5 call 147be50 43->94 50 147bc4e-147bc56 44->50 51 147bc59-147bc67 44->51 45->44 46 147bbeb-147bbed 46->42 47 147bd28-147bde8 46->47 88 147bdf0-147be1b GetModuleHandleW 47->88 89 147bdea-147bded 47->89 50->51 53 147bc8b-147bc8d 51->53 54 147bc69-147bc6e 51->54 55 147bc90-147bc97 53->55 56 147bc70-147bc77 call 147b08c 54->56 57 147bc79 54->57 59 147bca4-147bcab 55->59 60 147bc99-147bca1 55->60 58 147bc7b-147bc89 56->58 57->58 58->55 64 147bcad-147bcb5 59->64 65 147bcb8-147bcc1 call 147b09c 59->65 60->59 64->65 70 147bcc3-147bccb 65->70 71 147bcce-147bcd3 65->71 70->71 72 147bcd5-147bcdc 71->72 73 147bcf1-147bcfe 71->73 72->73 75 147bcde-147bcee call 1479920 call 147b0ac 72->75 80 147bd21-147bd27 73->80 81 147bd00-147bd1e 73->81 75->73 81->80 90 147be24-147be38 88->90 91 147be1d-147be23 88->91 89->88 91->90 93->46 94->46
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0147BE0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: aac00cb46211dc4b47fb20cbaee9131859e87ef3f3c33ca192fe949956820dc6
                                                                    • Instruction ID: fbcedf78fc96859abfb4bdd42baf5573ac3da4117a1a8c1cce919df79d8aece1
                                                                    • Opcode Fuzzy Hash: aac00cb46211dc4b47fb20cbaee9131859e87ef3f3c33ca192fe949956820dc6
                                                                    • Instruction Fuzzy Hash: DD712470A00B058FD724DF2AD54079ABBF1FF88214F008A2EE596D7B50DB35E9468B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0147DC6D, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 95 147dc6d-147dcde 97 147dce0-147dce6 95->97 98 147dce9-147dcf0 95->98 97->98 99 147dcf2-147dcf8 98->99 100 147dcfb-147dd33 98->100 99->100 101 147dd3b-147dd9a CreateWindowExW 100->101 102 147dda3-147dddb 101->102 103 147dd9c-147dda2 101->103 107 147dddd-147dde0 102->107 108 147dde8 102->108 103->102 107->108 109 147dde9 108->109 109->109
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0147DD8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 62c878f994e62abce8e20a2b996ee96188c8e02051e9d76918d6a4bbc8194c56
                                                                    • Instruction ID: 7abdd217b43ef9de8a3d141bc72429aa87e064d1ba85ed2bf2e8da991cc65a15
                                                                    • Opcode Fuzzy Hash: 62c878f994e62abce8e20a2b996ee96188c8e02051e9d76918d6a4bbc8194c56
                                                                    • Instruction Fuzzy Hash: 5551D1B1D10308EFDB14CF9AC984ADEBFB5BF48314F24812AE919AB210D7759985CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0147DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 110 147dc78-147dcde 111 147dce0-147dce6 110->111 112 147dce9-147dcf0 110->112 111->112 113 147dcf2-147dcf8 112->113 114 147dcfb-147dd9a CreateWindowExW 112->114 113->114 116 147dda3-147dddb 114->116 117 147dd9c-147dda2 114->117 121 147dddd-147dde0 116->121 122 147dde8 116->122 117->116 121->122 123 147dde9 122->123 123->123
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0147DD8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 70aec7ee34f97d05a5fd7d9d643ba39604b99fb7b36b342bff0aafecee1a3cc3
                                                                    • Instruction ID: a215389dfb117610429a072fefac03f5fea4b6d3e5915f354011d7e9bad66883
                                                                    • Opcode Fuzzy Hash: 70aec7ee34f97d05a5fd7d9d643ba39604b99fb7b36b342bff0aafecee1a3cc3
                                                                    • Instruction Fuzzy Hash: EC41C1B1D103489FDB14CF9AD984ADEBBB5BF48314F24812AE919AB210D7749885CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01476D49, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 124 1476d49-1476d50 125 1476d52-1476d81 call 1475864 124->125 126 1476dba-1476e54 DuplicateHandle 124->126 131 1476d86-1476dac 125->131 129 1476e56-1476e5c 126->129 130 1476e5d-1476e7a 126->130 129->130
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01476E47
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 6dd70b9b40909fa94389065769650163ab02759b08830892fea3e34e8c88c6bd
                                                                    • Instruction ID: 419f7284756f148d2af647a150a7703b4f0e7d43de055d1cf51fff94087e3c16
                                                                    • Opcode Fuzzy Hash: 6dd70b9b40909fa94389065769650163ab02759b08830892fea3e34e8c88c6bd
                                                                    • Instruction Fuzzy Hash: 60414976900258AFDB01CF99D840ADEBFF9FB49320F09841AFA54A7361C335A954DFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01476DB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 136 1476db8-1476dbb 137 1476dc0-1476e54 DuplicateHandle 136->137 138 1476e56-1476e5c 137->138 139 1476e5d-1476e7a 137->139 138->139
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01476E47
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: e9027ef7f5cc7c8d556f2366bcfcb8d19d6b3791c145258c4acbed5e1a0f81dc
                                                                    • Instruction ID: b7e056a218f6f325f782dbcc7b4d87fb423d9623610952dad131ff93d1bf3e05
                                                                    • Opcode Fuzzy Hash: e9027ef7f5cc7c8d556f2366bcfcb8d19d6b3791c145258c4acbed5e1a0f81dc
                                                                    • Instruction Fuzzy Hash: A821D2B5900248AFDB10CFAAD984ADEBBF9EB48324F15841AE914B7311D374A954CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01476DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 142 1476dc0-1476e54 DuplicateHandle 143 1476e56-1476e5c 142->143 144 1476e5d-1476e7a 142->144 143->144
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01476E47
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: d3baa47b2ed004a90efeef797e7bc931db57d169e369cf1eebb2b10b2b073dc4
                                                                    • Instruction ID: e437f097175e32e5c9539b36d7714478f9835598e6b41fe69458a7c36e4986ab
                                                                    • Opcode Fuzzy Hash: d3baa47b2ed004a90efeef797e7bc931db57d169e369cf1eebb2b10b2b073dc4
                                                                    • Instruction Fuzzy Hash: 9821E2B5900248AFDB10CFAAD984ADEBBF9FB48324F14841AE914B7310D374A954CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0147B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 147 147b0d8-147c070 149 147c072-147c075 147->149 150 147c078-147c0a7 LoadLibraryExW 147->150 149->150 151 147c0b0-147c0cd 150->151 152 147c0a9-147c0af 150->152 152->151
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0147BE89,00000800,00000000,00000000), ref: 0147C09A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 05a292f24807655f7c31d0a53dc96e0c3e3a21c62daaadbe9607c41b96d3f562
                                                                    • Instruction ID: 7a55912a4ebf64d942ce5c9724ccb2d35b95904388fa5ee08a148b89c2b8dd42
                                                                    • Opcode Fuzzy Hash: 05a292f24807655f7c31d0a53dc96e0c3e3a21c62daaadbe9607c41b96d3f562
                                                                    • Instruction Fuzzy Hash: C81103B29042499FDB10CF9AD484BDEFBF4AB49324F04842ED915A7210C375A949CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0147C028, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 155 147c028-147c070 156 147c072-147c075 155->156 157 147c078-147c0a7 LoadLibraryExW 155->157 156->157 158 147c0b0-147c0cd 157->158 159 147c0a9-147c0af 157->159 159->158
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0147BE89,00000800,00000000,00000000), ref: 0147C09A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 7d1c6c5ede90164e5d8954cba064375b2dfad417dfbb0a557bbfc2200dfb4756
                                                                    • Instruction ID: 789c2a33d2c66901fabf32639fd84f7c302abef1b99f6bad01462b8f253cc46b
                                                                    • Opcode Fuzzy Hash: 7d1c6c5ede90164e5d8954cba064375b2dfad417dfbb0a557bbfc2200dfb4756
                                                                    • Instruction Fuzzy Hash: F51142B2C002498FDB10CFAAC984BDEFBF4AB89324F14851ED519B7210C374A549CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0147BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 162 147bda8-147bde8 163 147bdf0-147be1b GetModuleHandleW 162->163 164 147bdea-147bded 162->164 165 147be24-147be38 163->165 166 147be1d-147be23 163->166 164->163 166->165
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0147BE0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 072320c356fddf8cee6ad9909b8d323dffe9ddbed3a49d76960ecf533b25626b
                                                                    • Instruction ID: 4886ed009fe9f4dc979d4c1071a2bce2716644713f251403e9f2836c2fdadb92
                                                                    • Opcode Fuzzy Hash: 072320c356fddf8cee6ad9909b8d323dffe9ddbed3a49d76960ecf533b25626b
                                                                    • Instruction Fuzzy Hash: EF11E0B6C006498FDB10CF9AD444BDFFBF4EB88224F14841AD969A7710D375A549CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0147DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 168 147deb9-147debe 169 147dec0-147df2a SetWindowLongW 168->169 170 147df33-147df47 169->170 171 147df2c-147df32 169->171 171->170
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?), ref: 0147DF1D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: 9e99000e417e37ea69da0600aa754d66ade9edb9c462d521b1b3a3caa39bb78f
                                                                    • Instruction ID: 73898ea76b5ffe6ba92d0407b5547ce8e35dc148b9bfa1f20b04610ac018e45c
                                                                    • Opcode Fuzzy Hash: 9e99000e417e37ea69da0600aa754d66ade9edb9c462d521b1b3a3caa39bb78f
                                                                    • Instruction Fuzzy Hash: 5E1103B5C002489FDB10CF9AD489BDEBBF8EB48324F15841AE955A7300D374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0147DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 173 147dec0-147df2a SetWindowLongW 174 147df33-147df47 173->174 175 147df2c-147df32 173->175 175->174
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?), ref: 0147DF1D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: ae91df65a924bb0ac7c5c06de0d81f628d9743b428b8d0d9279bc04935620c5b
                                                                    • Instruction ID: 7d397e809b68c14777e1adbf728b2fe66e99a0f496fe5f85805ccd41c2a68dd9
                                                                    • Opcode Fuzzy Hash: ae91df65a924bb0ac7c5c06de0d81f628d9743b428b8d0d9279bc04935620c5b
                                                                    • Instruction Fuzzy Hash: E111E2B58002499FDB10CF9AD585BDEBBF8EF48324F14841AE955A7740C375A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0129D01C, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.295888511.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_129d000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8f2c8183a1e998a628857e57d95be2f8d30277d3cd5b850cc8bf54a54b7bcfb8
                                                                    • Instruction ID: 4b96cd86984e5d686387fb3b5953674f4c685b7fcf216e26b3410f2914bf3034
                                                                    • Opcode Fuzzy Hash: 8f2c8183a1e998a628857e57d95be2f8d30277d3cd5b850cc8bf54a54b7bcfb8
                                                                    • Instruction Fuzzy Hash: 33214571518248DFCF14CF68D8C0B26BB61FB84354F24C96DD9094B246C376D807DB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0129D017, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.295888511.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_129d000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3fce3aceca653d6214cc60db6b5e3eadbb8374b228890e84087ed2affc157ba0
                                                                    • Instruction ID: c50a8c805edb9c688c55cab9bc09971de8b065a5158e084062c79f7dc0c80e4a
                                                                    • Opcode Fuzzy Hash: 3fce3aceca653d6214cc60db6b5e3eadbb8374b228890e84087ed2affc157ba0
                                                                    • Instruction Fuzzy Hash: F611BE75504284CFDF12CF58D5D4B15BB61FB44314F28C6AAD9094B656C33AD44ACBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0147C2B0, Relevance: .5, Instructions: 520COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b77e119dc62787b555c6afe0988f9bb08264d24227f7886efd3729b0cba0786f
                                                                    • Instruction ID: 2f288a0c09c8ed12904086a85ca9276753aa10e0b6deb8bd48e206775e80edc3
                                                                    • Opcode Fuzzy Hash: b77e119dc62787b555c6afe0988f9bb08264d24227f7886efd3729b0cba0786f
                                                                    • Instruction Fuzzy Hash: 5A526EF19C17068BDB28CF16EAC91A93BB1FB44324BD24A19C1636B690D3B455EECF44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01479990, Relevance: .3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.297229567.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_1470000_DETALLE DE CITACION FISCAL PENDIENTE.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f96c741c4eaf2092613991f1158878e3cb0289aad84a8534f7ec878ba083beb2
                                                                    • Instruction ID: db2e32a63d9a12372b47f04eb4663830deb0a7ca36c0a1eaa29e9627ebdfca42
                                                                    • Opcode Fuzzy Hash: f96c741c4eaf2092613991f1158878e3cb0289aad84a8534f7ec878ba083beb2
                                                                    • Instruction Fuzzy Hash: 32A19132E0061A8FCF15DFB9C8845DEBBB2FF85304B15856AE905BB261EB31E955CB40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: powershell.exe PID: 6888 Parent PID: 6304 powershell.exeCOMMON

                                                                    Executed Functions

                                                                    Function 02DFD01D, Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.439555739.0000000002DFD000.00000040.00000001.sdmp, Offset: 02DFD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_2dfd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 48bb6dac9e901f2f196632a8edc3a555c6ab905512a5997d2c627b7ed62b8beb
                                                                    • Instruction ID: 207628334a2dbdd9ba5a310a8aecd01279a555ac52691f0b5dedd2e7ebfcceea
                                                                    • Opcode Fuzzy Hash: 48bb6dac9e901f2f196632a8edc3a555c6ab905512a5997d2c627b7ed62b8beb
                                                                    • Instruction Fuzzy Hash: F901F771408340AAE7604A21DC84766BB89EF41268F29C05AEF445B786C379DD45C6B5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02DFD005, Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.439555739.0000000002DFD000.00000040.00000001.sdmp, Offset: 02DFD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_2dfd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c30d7a9a94c3eef449d81ce922029a9a5b4c38565de87ad708332d776df5d030
                                                                    • Instruction ID: c109c93cf436a5ac6b3a0e1735d5194289d8c24d64da98aa0434fec33b12bb51
                                                                    • Opcode Fuzzy Hash: c30d7a9a94c3eef449d81ce922029a9a5b4c38565de87ad708332d776df5d030
                                                                    • Instruction Fuzzy Hash: 81014C6140D3C09ED7128B258C94B62BFB4EF43224F19C1DBE9849F2A7C2695849C7B2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Analysis Process: RegSvcs.exe PID: 6212 Parent PID: 6304 RegSvcs.exeCOMMON

                                                                    Execution Graph

                                                                    Execution Coverage:16.6%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:6
                                                                    Total number of Limit Nodes:0

                                                                    Graph

                                                                    execution_graph 10786 1744668 10787 1744686 10786->10787 10790 1743614 10787->10790 10789 17446bd 10791 1746188 LoadLibraryA 10790->10791 10793 1746264 10791->10793

                                                                    Executed Functions

                                                                    Function 0174617C, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 131 174617c-1746184 132 17461a5-17461df 131->132 133 1746186-17461a3 131->133 134 17461e1-17461eb 132->134 135 1746218-1746262 LoadLibraryA 132->135 133->132 134->135 136 17461ed-17461ef 134->136 142 1746264-174626a 135->142 143 174626b-174629c 135->143 137 17461f1-17461fb 136->137 138 1746212-1746215 136->138 140 17461fd 137->140 141 17461ff-174620e 137->141 138->135 140->141 141->141 144 1746210 141->144 142->143 147 17462ac 143->147 148 174629e-17462a2 143->148 144->138 150 17462ad 147->150 148->147 149 17462a4 148->149 149->147 150->150
                                                                    APIs
                                                                    • LoadLibraryA.KERNELBASE(?), ref: 01746252
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.534053314.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_17_2_1740000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 8fc132fd7cddf5f1d88329abb0a6d99d86d9766e5687ddd472c5188ce65711c9
                                                                    • Instruction ID: 4ac2d3cc38c711d13e467162b01be3fd387baa5bb8c96c5d95bd5531f21780a5
                                                                    • Opcode Fuzzy Hash: 8fc132fd7cddf5f1d88329abb0a6d99d86d9766e5687ddd472c5188ce65711c9
                                                                    • Instruction Fuzzy Hash: 244133B0D082499FDB14CFA8C8957DEFBF1BB4A314F148129E855E7280D7799485CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 01743614, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 151 1743614-17461df 153 17461e1-17461eb 151->153 154 1746218-1746262 LoadLibraryA 151->154 153->154 155 17461ed-17461ef 153->155 161 1746264-174626a 154->161 162 174626b-174629c 154->162 156 17461f1-17461fb 155->156 157 1746212-1746215 155->157 159 17461fd 156->159 160 17461ff-174620e 156->160 157->154 159->160 160->160 163 1746210 160->163 161->162 166 17462ac 162->166 167 174629e-17462a2 162->167 163->157 169 17462ad 166->169 167->166 168 17462a4 167->168 168->166 169->169
                                                                    APIs
                                                                    • LoadLibraryA.KERNELBASE(?), ref: 01746252
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.534053314.0000000001740000.00000040.00000001.sdmp, Offset: 01740000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_17_2_1740000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: f9d7df7da0ea85f848a115321d2427330c5a2805cbeefb6b614d286098609479
                                                                    • Instruction ID: f6713710869c4fca7d1e9c0cd8ed1263f806a2e1d26e05d6a5bb6fafa8633ad7
                                                                    • Opcode Fuzzy Hash: f9d7df7da0ea85f848a115321d2427330c5a2805cbeefb6b614d286098609479
                                                                    • Instruction Fuzzy Hash: A43123B0D082499FDF14CFA9C8957DEFBB1BB4A314F148129E815A7380D7B59485CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 016ED4A0, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.533482145.00000000016ED000.00000040.00000001.sdmp, Offset: 016ED000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_17_2_16ed000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c499133f3de93a02d419ff80306579f53df5e24ffa32fca25312d52b9e2f04de
                                                                    • Instruction ID: 14b77cd539dea3ea060c9fcb39564ab45ea67cc678f576c520bfe3123f871824
                                                                    • Opcode Fuzzy Hash: c499133f3de93a02d419ff80306579f53df5e24ffa32fca25312d52b9e2f04de
                                                                    • Instruction Fuzzy Hash: B82148B1505240DFDB01CF84DDC8B26BFA5FB98328F24C669E9090B34AC336D856CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 016ED3B4, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.533482145.00000000016ED000.00000040.00000001.sdmp, Offset: 016ED000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_17_2_16ed000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 98e396e4402fcc01265a61e78ce1a3dea7338023961485c9237562b80e5581e6
                                                                    • Instruction ID: c855e20678558123b1da018375e8595bb7017c299aa000704e91f9ff9d07830e
                                                                    • Opcode Fuzzy Hash: 98e396e4402fcc01265a61e78ce1a3dea7338023961485c9237562b80e5581e6
                                                                    • Instruction Fuzzy Hash: A52148B1506240DFCB01CF54CDC4B66BFA5FBA4324F24C669E9094B346C336E846C7A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 016ED3AF, Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.533482145.00000000016ED000.00000040.00000001.sdmp, Offset: 016ED000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_17_2_16ed000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c2714ef245c7a7d187a19bb68fde141c678a7e158619bf4c30222c01bc86617
                                                                    • Instruction ID: 62615f33ace00f7243d3caf72135729ac7a774f90377e5f3726edf4e8682cc9f
                                                                    • Opcode Fuzzy Hash: 6c2714ef245c7a7d187a19bb68fde141c678a7e158619bf4c30222c01bc86617
                                                                    • Instruction Fuzzy Hash: 2211B1B6405280DFCB12CF54D9C4B56BFB1FB94324F28C6A9D8450B656C336E45ACBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 016ED49B, Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000011.00000002.533482145.00000000016ED000.00000040.00000001.sdmp, Offset: 016ED000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_17_2_16ed000_RegSvcs.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c2714ef245c7a7d187a19bb68fde141c678a7e158619bf4c30222c01bc86617
                                                                    • Instruction ID: 35a9a0384697a5d15341f0b574949e0a637901c97a0255f29dbb7bcc512a4917
                                                                    • Opcode Fuzzy Hash: 6c2714ef245c7a7d187a19bb68fde141c678a7e158619bf4c30222c01bc86617
                                                                    • Instruction Fuzzy Hash: B711AF76804280DFDB12CF54D9C4B16BFB1FB84324F28C6A9D9050B656C336D45ACBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions