Edit tour

Windows Analysis Report
Cotizaci#U00f3n P13000996 pdf.exe

Overview

General Information

Sample name:	Cotizaci#U00f3n P13000996 pdf.exe renamed because original name is a hash value
Original sample name:	Cotizacin P13000996 pdf.exe
Analysis ID:	1528679
MD5:	cd3a6f4e87632d933a99502e32a34b73
SHA1:	0033645d2b94cf4e56c8ea6eb8508e3c2ee77b11
SHA256:	b7c70cd300732d7faad3e5a898a93b0dbff2a62ec9555eef0997af34baa721ca
Tags:	exeuser-lowmal3
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Cotizaci#U00f3n P13000996 pdf.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe" MD5: CD3A6F4E87632D933A99502E32A34B73)

powershell.exe (PID: 7576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jHJQWf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8048 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7660 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Cotizaci#U00f3n P13000996 pdf.exe (PID: 7836 cmdline: "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe" MD5: CD3A6F4E87632D933A99502E32A34B73)

jHJQWf.exe (PID: 8012 cmdline: C:\Users\user\AppData\Roaming\jHJQWf.exe MD5: CD3A6F4E87632D933A99502E32A34B73)

schtasks.exe (PID: 6448 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp9457.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jHJQWf.exe (PID: 6680 cmdline: "C:\Users\user\AppData\Roaming\jHJQWf.exe" MD5: CD3A6F4E87632D933A99502E32A34B73)

jHJQWf.exe (PID: 7092 cmdline: "C:\Users\user\AppData\Roaming\jHJQWf.exe" MD5: CD3A6F4E87632D933A99502E32A34B73)

ZUHFqcY.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe" MD5: CD3A6F4E87632D933A99502E32A34B73)

schtasks.exe (PID: 7924 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpB4A0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ZUHFqcY.exe (PID: 7744 cmdline: "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe" MD5: CD3A6F4E87632D933A99502E32A34B73)

ZUHFqcY.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe" MD5: CD3A6F4E87632D933A99502E32A34B73)

schtasks.exe (PID: 7448 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpD6A0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ZUHFqcY.exe (PID: 6524 cmdline: "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe" MD5: CD3A6F4E87632D933A99502E32A34B73)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "eric.zhang@longpowartech.com", "Password": "    w#chNV#1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000010.00000002.2556220086.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.2556822159.000000000324C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2556220086.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.1513664213.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.2556822159.0000000003227000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.2556822159.0000000003216000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.1513664213.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2556274282.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2556220086.0000000002E97000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.1513664213.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.1513664213.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2556274282.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2556274282.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2556274282.0000000002F77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7400	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7400	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7836	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7836	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: jHJQWf.exe PID: 8012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jHJQWf.exe PID: 8012	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: jHJQWf.exe PID: 8012	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: jHJQWf.exe PID: 7092	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jHJQWf.exe PID: 7092	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 7612	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 7612	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 7612	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 7744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 7744	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 7532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 7532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 7532	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 6524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 6524	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.jHJQWf.exe.3e392e8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.jHJQWf.exe.3e392e8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.jHJQWf.exe.3e392e8.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32542:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x325b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3263e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x326d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3273a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x327ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32842:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x328d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32542:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x325b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3263e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x326d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3273a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x327ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32842:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x328d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
17.2.ZUHFqcY.exe.3857a30.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.ZUHFqcY.exe.3857a30.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
17.2.ZUHFqcY.exe.3857a30.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32542:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x325b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3263e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x326d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3273a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x327ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32842:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x328d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
22.2.ZUHFqcY.exe.41b7860.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.ZUHFqcY.exe.41b7860.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
22.2.ZUHFqcY.exe.41b7860.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32542:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x325b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3263e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x326d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3273a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x327ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32842:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x328d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32542:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x325b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3263e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x326d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3273a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x327ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32842:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x328d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
20.2.ZUHFqcY.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.ZUHFqcY.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
20.2.ZUHFqcY.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
20.2.ZUHFqcY.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x346d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
22.2.ZUHFqcY.exe.417be40.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.ZUHFqcY.exe.417be40.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
22.2.ZUHFqcY.exe.417be40.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32542:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x325b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3263e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x326d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3273a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x327ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32842:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x328d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.jHJQWf.exe.3dfd8c8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.jHJQWf.exe.3dfd8c8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.jHJQWf.exe.3dfd8c8.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32542:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x325b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3263e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x326d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3273a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x327ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32842:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x328d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
22.2.ZUHFqcY.exe.41b7860.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.ZUHFqcY.exe.41b7860.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
22.2.ZUHFqcY.exe.41b7860.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
22.2.ZUHFqcY.exe.41b7860.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fb62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fbd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fc5e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fcf0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fd5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fdcc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fe62:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x346d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6fef2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.jHJQWf.exe.3e392e8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.jHJQWf.exe.3e392e8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.jHJQWf.exe.3e392e8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.jHJQWf.exe.3e392e8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fb62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fbd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fc5e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fcf0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fd5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fdcc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fe62:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x346d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6fef2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fd62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xab582:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fdd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xab5f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fe5e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xab67e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fef0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xab710:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ff5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xab77a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ffcc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xab7ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70062:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xab882:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
17.2.ZUHFqcY.exe.3857a30.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.ZUHFqcY.exe.3857a30.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.ZUHFqcY.exe.3857a30.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
17.2.ZUHFqcY.exe.3857a30.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fb62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fbd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fc5e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fcf0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fd5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fdcc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fe62:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x346d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6fef2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
22.2.ZUHFqcY.exe.417be40.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.ZUHFqcY.exe.417be40.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
22.2.ZUHFqcY.exe.417be40.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
22.2.ZUHFqcY.exe.417be40.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fd62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xab582:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fdd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xab5f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fe5e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xab67e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fef0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xab710:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ff5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xab77a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ffcc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xab7ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70062:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xab882:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fb62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fbd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fc5e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fcf0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fd5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fdcc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fe62:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x346d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6fef2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fd62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xab582:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fdd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xab5f4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fe5e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xab67e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fef0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xab710:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ff5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xab77a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ffcc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xab7ec:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70062:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xab882:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 48 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", ParentImage: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe, ParentProcessId: 7400, ParentProcessName: Cotizaci#U00f3n P13000996 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", ProcessId: 7576, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe, ProcessId: 7836, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZUHFqcY

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp9457.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp9457.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\jHJQWf.exe, ParentImage: C:\Users\user\AppData\Roaming\jHJQWf.exe, ParentProcessId: 8012, ParentProcessName: jHJQWf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp9457.tmp", ProcessId: 6448, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe, Initiated: true, ProcessId: 7836, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49705

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", ParentImage: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe, ParentProcessId: 7400, ParentProcessName: Cotizaci#U00f3n P13000996 pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp", ProcessId: 7660, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", ParentImage: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe, ParentProcessId: 7400, ParentProcessName: Cotizaci#U00f3n P13000996 pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", ProcessId: 7576, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe", ParentImage: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe, ParentProcessId: 7400, ParentProcessName: Cotizaci#U00f3n P13000996 pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp", ProcessId: 7660, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 20.2.ZUHFqcY.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "eric.zhang@longpowartech.com", "Password": " w#chNV#1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Virustotal: Detection: 58%	Perma Link
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Virustotal: Detection: 58%	Perma Link

Multi AV Scanner detection for submitted file

Source: Cotizaci#U00f3n P13000996 pdf.exe	ReversingLabs: Detection: 47%
Source: Cotizaci#U00f3n P13000996 pdf.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Cotizaci#U00f3n P13000996 pdf.exe

Joe Sandbox ML: detected

Source: Cotizaci#U00f3n P13000996 pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Cotizaci#U00f3n P13000996 pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 4x nop then jmp 06C79DE9h	0_2_06C79F9E
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 4x nop then jmp 071B90C9h	11_2_071B927E
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 4x nop then jmp 059C90C9h	17_2_059C927E
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 4x nop then jmp 073C90C9h	22_2_073C927E

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 20.2.ZUHFqcY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.41b7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3e392e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ZUHFqcY.exe.3857a30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.417be40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.7:49705 -> 208.91.198.143:587

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.7:49705 -> 208.91.198.143:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2553264071.0000000001336000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2578989621.00000000068CF000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1510235688.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.000000000658A000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001480000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.000000000322F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2578989621.00000000068CF000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1510235688.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2553264071.0000000001336000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2578989621.00000000068CF000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1510235688.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.0000000006580000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.000000000658A000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001480000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.000000000322F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.00000000031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ZUHFqcY.exe, 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.00000000031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: ZUHFqcY.exe, 00000019.00000002.2553428808.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting0
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2553264071.0000000001336000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2578989621.00000000068CF000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1510235688.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.000000000658A000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001480000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.000000000322F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2553264071.0000000001336000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2578989621.00000000068CF000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1510235688.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.0000000006580000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.000000000658A000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001480000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.000000000322F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1324801590.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 0000000B.00000002.1370783365.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000011.00000002.1445199267.000000000280E000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000016.00000002.1533879364.0000000003171000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.00000000031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.0000000003227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ZUHFqcY.exe, 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2553264071.0000000001336000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2578989621.00000000068CF000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1510235688.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.0000000006580000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.000000000658A000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001480000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.000000000322F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, X3fxBL.cs	.Net Code: UdKYqv
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack, X3fxBL.cs	.Net Code: UdKYqv

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.jHJQWf.exe.3e392e8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.ZUHFqcY.exe.3857a30.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 22.2.ZUHFqcY.exe.41b7860.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.ZUHFqcY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 22.2.ZUHFqcY.exe.417be40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.jHJQWf.exe.3dfd8c8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 22.2.ZUHFqcY.exe.41b7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.jHJQWf.exe.3e392e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 17.2.ZUHFqcY.exe.3857a30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 22.2.ZUHFqcY.exe.417be40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_026FD304	0_2_026FD304
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C70E08	0_2_06C70E08
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C74240	0_2_06C74240
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C7630F	0_2_06C7630F
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C76320	0_2_06C76320
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C73E08	0_2_06C73E08
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C7CC60	0_2_06C7CC60
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C70DF9	0_2_06C70DF9
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C75A48	0_2_06C75A48
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C739D0	0_2_06C739D0
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_08572E90	0_2_08572E90
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_08576108	0_2_08576108
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_085735F8	0_2_085735F8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_0857AE97	0_2_0857AE97
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_0857AEA8	0_2_0857AEA8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_014DE220	9_2_014DE220
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_014D4AD0	9_2_014D4AD0
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_014DADF0	9_2_014DADF0
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_014D3EB8	9_2_014D3EB8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_014D4200	9_2_014D4200
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_06B36610	9_2_06B36610
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_06B32758	9_2_06B32758
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_06B355B8	9_2_06B355B8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_06B3BC88	9_2_06B3BC88
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_06B37DA0	9_2_06B37DA0
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_06B376C0	9_2_06B376C0
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_06B30040	9_2_06B30040
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 9_2_06B35D10	9_2_06B35D10
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_02BCD304	11_2_02BCD304
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_05317A40	11_2_05317A40
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_05310007	11_2_05310007
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_05310040	11_2_05310040
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_05313F68	11_2_05313F68
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_05317A31	11_2_05317A31
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_071B0E08	11_2_071B0E08
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_071B3E08	11_2_071B3E08
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_071B0DFB	11_2_071B0DFB
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_071B630F	11_2_071B630F
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_071B6320	11_2_071B6320
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_071B5A48	11_2_071B5A48
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_071B4240	11_2_071B4240
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_071B39D0	11_2_071B39D0
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_071BC000	11_2_071BC000
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_0151E210	16_2_0151E210
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_0151A220	16_2_0151A220
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_01514AD0	16_2_01514AD0
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_0151ADE0	16_2_0151ADE0
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_01513EB8	16_2_01513EB8
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_01514200	16_2_01514200
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_06BA6610	16_2_06BA6610
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_06BA2758	16_2_06BA2758
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_06BA55B8	16_2_06BA55B8
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_06BABC88	16_2_06BABC88
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_06BA7DA0	16_2_06BA7DA0
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_06BA5D10	16_2_06BA5D10
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_06BA76C0	16_2_06BA76C0
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 16_2_06BA0040	16_2_06BA0040
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_024DD304	17_2_024DD304
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_059C0E08	17_2_059C0E08
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_059C39D0	17_2_059C39D0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_059C0DFA	17_2_059C0DFA
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_059CBF40	17_2_059CBF40
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_059C3E08	17_2_059C3E08
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_059C630F	17_2_059C630F
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_059C6320	17_2_059C6320
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_059C5A48	17_2_059C5A48
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_059C4240	17_2_059C4240
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_02D64AD0	20_2_02D64AD0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_02D63EB8	20_2_02D63EB8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_02D6DCE8	20_2_02D6DCE8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_02D64200	20_2_02D64200
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_06AB6610	20_2_06AB6610
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_06AB3480	20_2_06AB3480
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_06AB55B8	20_2_06AB55B8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_06ABBC79	20_2_06ABBC79
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_06AB7DA0	20_2_06AB7DA0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_06AB76C0	20_2_06AB76C0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_06AB2748	20_2_06AB2748
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_06AB0040	20_2_06AB0040
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 20_2_06AB5CFB	20_2_06AB5CFB
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_0306D304	22_2_0306D304
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_05CA6230	22_2_05CA6230
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_05CAAE97	22_2_05CAAE97
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_05CAAEA8	22_2_05CAAEA8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C0E08	22_2_073C0E08
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073CBF40	22_2_073CBF40
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C3E08	22_2_073C3E08
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C0DFA	22_2_073C0DFA
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C6320	22_2_073C6320
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C630F	22_2_073C630F
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C5A48	22_2_073C5A48
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C4240	22_2_073C4240
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C39B1	22_2_073C39B1
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C39D0	22_2_073C39D0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_016D4AD0	25_2_016D4AD0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_016DDCE8	25_2_016DDCE8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_016D3EB8	25_2_016D3EB8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_016DAE9E	25_2_016DAE9E
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_016D4200	25_2_016D4200
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_016DA8B8	25_2_016DA8B8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06BB6610	25_2_06BB6610
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06BB2758	25_2_06BB2758
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06BB55B8	25_2_06BB55B8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06BBBC88	25_2_06BBBC88
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06BB7DA0	25_2_06BB7DA0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06BB76C0	25_2_06BB76C0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06BB0040	25_2_06BB0040
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06BB5D10	25_2_06BB5D10
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06CAE550	25_2_06CAE550
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06CA6088	25_2_06CA6088
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06CA7B78	25_2_06CA7B78
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06CA7920	25_2_06CA7920

Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1329784750.0000000007173000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUZWH.exe@ vs Cotizaci#U00f3n P13000996 pdf.exe
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000000.1285709787.0000000000602000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUZWH.exe@ vs Cotizaci#U00f3n P13000996 pdf.exe
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1323841652.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Cotizaci#U00f3n P13000996 pdf.exe
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename51fb4aff-95dd-4a93-9ab4-04a316570185.exe4 vs Cotizaci#U00f3n P13000996 pdf.exe
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Cotizaci#U00f3n P13000996 pdf.exe
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1324801590.0000000002966000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename51fb4aff-95dd-4a93-9ab4-04a316570185.exe4 vs Cotizaci#U00f3n P13000996 pdf.exe
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1329209888.0000000006F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Cotizaci#U00f3n P13000996 pdf.exe
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2552156896.00000000010F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Cotizaci#U00f3n P13000996 pdf.exe
Source: Cotizaci#U00f3n P13000996 pdf.exe	Binary or memory string: OriginalFilenameUZWH.exe@ vs Cotizaci#U00f3n P13000996 pdf.exe

Source: Cotizaci#U00f3n P13000996 pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.jHJQWf.exe.3e392e8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.ZUHFqcY.exe.3857a30.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 22.2.ZUHFqcY.exe.41b7860.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.ZUHFqcY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 22.2.ZUHFqcY.exe.417be40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.jHJQWf.exe.3dfd8c8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 22.2.ZUHFqcY.exe.41b7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.jHJQWf.exe.3e392e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 17.2.ZUHFqcY.exe.3857a30.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 22.2.ZUHFqcY.exe.417be40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Cotizaci#U00f3n P13000996 pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jHJQWf.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZUHFqcY.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, ojfoYn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, ojfoYn.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, nz576WY2fl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, nz576WY2fl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, nz576WY2fl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, nz576WY2fl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, fq6MquFPL9.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, fq6MquFPL9.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, t1Bk2Cij9OL7hxApyp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, t1Bk2Cij9OL7hxApyp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@33/20@3/2

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

File created: C:\Users\user\AppData\Roaming\jHJQWf.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Mutant created: \Sessions\1\BaseNamedObjects\FWiJhSZjRaDRXVTmaB

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8543.tmp

Jump to behavior

Source: Cotizaci#U00f3n P13000996 pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Cotizaci#U00f3n P13000996 pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Cotizaci#U00f3n P13000996 pdf.exe	ReversingLabs: Detection: 47%
Source: Cotizaci#U00f3n P13000996 pdf.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

File read: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jHJQWf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jHJQWf.exe C:\Users\user\AppData\Roaming\jHJQWf.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp9457.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process created: C:\Users\user\AppData\Roaming\jHJQWf.exe "C:\Users\user\AppData\Roaming\jHJQWf.exe"
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process created: C:\Users\user\AppData\Roaming\jHJQWf.exe "C:\Users\user\AppData\Roaming\jHJQWf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpB4A0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpD6A0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jHJQWf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp9457.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process created: C:\Users\user\AppData\Roaming\jHJQWf.exe "C:\Users\user\AppData\Roaming\jHJQWf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process created: C:\Users\user\AppData\Roaming\jHJQWf.exe "C:\Users\user\AppData\Roaming\jHJQWf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpB4A0.tmp"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpD6A0.tmp"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Cotizaci#U00f3n P13000996 pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Cotizaci#U00f3n P13000996 pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Cotizaci#U00f3n P13000996 pdf.exe, appForm.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: Cotizaci#U00f3n P13000996 pdf.exe, appForm.cs	.Net Code: InitializeComponent
Source: jHJQWf.exe.0.dr, appForm.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: jHJQWf.exe.0.dr, appForm.cs	.Net Code: InitializeComponent
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	.Net Code: hPxCIUWDZT System.Reflection.Assembly.Load(byte[])
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.5ad0000.4.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	.Net Code: hPxCIUWDZT System.Reflection.Assembly.Load(byte[])
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.28e8980.0.raw.unpack, RZ.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: ZUHFqcY.exe.9.dr, appForm.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: ZUHFqcY.exe.9.dr, appForm.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_026FF498 pushad ; iretd	0_2_026FF499
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_06C70007 push es; ret	0_2_06C7001C
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_0857C287 pushad ; ret	0_2_0857C28A
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_08575EDD push 0000003Bh; ret	0_2_08575EDF
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_08575F0B push 0000003Bh; ret	0_2_08575F0D
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Code function: 0_2_0857B3E0 pushfd ; iretd	0_2_0857B3E9
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_02BCF498 pushad ; iretd	11_2_02BCF499
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Code function: 11_2_02BCF49B push esp; iretd	11_2_02BCF4A1
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_024DF498 pushad ; iretd	17_2_024DF499
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 17_2_024DF49A push esp; iretd	17_2_024DF4A1
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_0306F498 pushad ; iretd	22_2_0306F499
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_05CAB3E0 pushfd ; iretd	22_2_05CAB3E9
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_05CAC287 pushad ; ret	22_2_05CAC28A
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C84C0 pushad ; iretd	22_2_073C84C1
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 22_2_073C8040 push eax; retf	22_2_073C8041
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 25_2_06CADAB2 pushad ; ret	25_2_06CADABD

Source: Cotizaci#U00f3n P13000996 pdf.exe	Static PE information: section name: .text entropy: 7.903574933359164
Source: jHJQWf.exe.0.dr	Static PE information: section name: .text entropy: 7.903574933359164
Source: ZUHFqcY.exe.9.dr	Static PE information: section name: .text entropy: 7.903574933359164

Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, GaowXKVR2aQlewcGrF.cs	High entropy of concatenated method names: 'ToString', 'VylHUeD0y1', 'TG3H1QcqBJ', 'mAJHcXNsAM', 'FPLHyE388n', 'Ex8HLuVye5', 'mQ3HEotB9g', 'e42HMCN0xq', 'oZCH6AsbWh', 'QJAHhwL2Ig'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, kGhQx8zW7tD4xUsS0k.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bjs4ZisBJ9', 'Gah4niDSSj', 'fNb4H1LVY3', 'h1q4B9tkAi', 'r6M4Fuy1Kx', 'jYO44dEcOR', 'Tl94KYJ7dk'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, Hgx8lB77ZHLunMZtJR4.cs	High entropy of concatenated method names: 'ToString', 'ahQKTX8yO1', 'LsGKC8OnbT', 'kx0KNII5aE', 'leaK5SF89a', 'TlPKbBvtGl', 'YmBKl6xZUT', 'OFAKXYvjXw', 'khtcTRgVZ0vfWsrEowT', 'Nq7b74gS6eiK70wDucg'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, jlAbg9bsAksQbn0BSt.cs	High entropy of concatenated method names: 'Dispose', 'A5m7a3Q87S', 'W7ur1d6Qd8', 'YKBFF3uqgW', 'rIx7xiO6RB', 'SCp7zZV244', 'ProcessDialogKey', 'IQtr8boXwj', 'B4Fr7H9HCm', 'tqmrrJvbZ7'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, DnVEL5hMsXVFgwadNK.cs	High entropy of concatenated method names: 'g2bYdUuH9N', 'I2RYsGF07S', 'cLmYI0fLJu', 'gUFYQiLa3f', 'Ry1Yot4sPQ', 'peJY2Pj098', 'AgEYGlhmDb', 'tihYiKkSWg', 'NuCYpe4M5A', 'xtEYmFMHHP'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, nVEBu9rlohQqSGc472.cs	High entropy of concatenated method names: 'BoXItfIAk', 'RkOQN6IGQ', 'n9525b6Fi', 'wUZG6d5BA', 'Ot0p3bQ9D', 'agOmjMyuS', 'IoDfQpphGyAyoL7a56', 'GXSZoXoP60Dgg9ayCa', 'neiFbHLN5', 'EmuKoUygj'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, t1Bk2Cij9OL7hxApyp.cs	High entropy of concatenated method names: 'IXgb3BRBH7', 'LmHbjLLj5U', 'r1pbVnkCQF', 'rYxbO1SGfh', 'xh1bvcQbol', 'HpCbA9xSUe', 'MdWbJ8huPy', 'YLqbSoVfJn', 'OUBbalUCAJ', 'D72bxEMCdx'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, Iu970e78CcvqscLfowb.cs	High entropy of concatenated method names: 'PJa4dvQ3Y8', 'MPc4sgG8S3', 'mAG4IquAh2', 'sVh4QKF6jQ', 'fK74oFwMdc', 'C7q42eD4RW', 'GAQ4G9TEli', 'fdg4imWRD6', 'wY74ptGU5k', 'Vfg4mAkvyC'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, zxiO6RSBVCpZV244cQ.cs	High entropy of concatenated method names: 'T49F53gePi', 'QqmFbUhaho', 'I21FlYvPOs', 'upcFXTEbvY', 'uwXF962L4s', 'yScFYIx7i0', 'UQMFWUL1k6', 'Tm3Fu9VYsS', 'BbXFgtosNg', 'rYhFPPL7I3'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, LHJoQNfyxfUVJRXEYU.cs	High entropy of concatenated method names: 'jtb9NOWrcE', 'be29bB5vI9', 'Brc9XCXhgx', 'TcZ9Y3oRZZ', 'yuS9WA0Vhe', 'hh8XvYSGpI', 'pJJXAXdkUH', 'mGZXJ2qIHp', 'uOJXS594mO', 'HiHXaDeaTM'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, MTeQYWpTVZnx5PdeIa.cs	High entropy of concatenated method names: 'QsRlQ0FIcB', 'h1hl2nhZ45', 'Mw3li0RWtE', 'wiNlpVRpPv', 'iPblnp3brf', 'Hx9lHXOTXB', 'UxnlBBhIOD', 'KgYlFLm4XA', 'L6Tl4IyJHa', 'ik3lKUT2x6'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, xxVZHBMeXZjnCaCF2V.cs	High entropy of concatenated method names: 'axTY5qST6l', 'OPGYl0cKLx', 'AJZY95bGrm', 'VVp9xeLyOF', 'D7t9zSweNA', 'OPlY8WBddt', 'Vq8Y7bkhIF', 'Wf0YroBBmp', 'siRYTV0089', 'rwjYCA5BWM'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, vboXwjao4FH9HCmDqm.cs	High entropy of concatenated method names: 'miAFfTfeLc', 'O4mF1xqAbP', 'kjcFcuAgwi', 'meTFy4LLnd', 'qxLF3FUXKd', 'MJcFLfeqt0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, ewdjABCc9fRB285i6r.cs	High entropy of concatenated method names: 'dgD7Y1Bk2C', 'R9O7WL7hxA', 'kTV7gZnx5P', 'xeI7PaOGbO', 'epT7nuXMHJ', 'BQN7HyxfUV', 'DJLTPF9rlMftA2497Z', 'syBcg8nMtwwTxxSyGj', 'Bkl77oR8xR', 'u627TQ1A6q'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, WvbZ7MxouRorWu0iPT.cs	High entropy of concatenated method names: 'BF6470p0tO', 'vnr4T3KALe', 'X3W4Cvg9JQ', 'To445hw9Zv', 'ip44b4MY37', 'QLv4Xfx9C2', 'bCM49LNdMB', 'bOSFJjEEDM', 'iaaFSq1AEm', 'PhLFaM1pQj'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, vxkXWX30uyfCGNcUlA.cs	High entropy of concatenated method names: 'BcOnwoe8Bq', 'ArWnkFZWAp', 'j0wn3echV9', 'Ca5njafGQK', 'u98n1S8Kek', 'lcgncNFhhh', 'wP2nyTfjUn', 'K3onLDmltg', 'JgFnEIiL0C', 'hxbnM0ktHp'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	High entropy of concatenated method names: 'n8GTN8EFZD', 'NoNT5Y8EeN', 'XHpTbjyd6p', 'TjmTldL46r', 'iWNTXAu50G', 'WPxT9409C3', 'HPcTYEvQBg', 'JChTWN3gll', 'eAnTufd4wc', 'oSOTgGn45J'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, hcT8ZLlpGEGA22NQ19.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'avqraDWDUw', 'CkNrxjItPl', 'Wi3rzVRN07', 'w8hT8J6ucZ', 'jqXT7KInFG', 'G0KTrtJn0O', 'aJyTTVGVSY', 'HZ3yoWXts4FKMoohc3h'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, s2A4VA0KwXsZsunAiV.cs	High entropy of concatenated method names: 'K8uZifLHGY', 'DsWZp1DHiV', 'OLFZfqkN2G', 'rARZ1aX732', 'KbwZyrKgnr', 'tYXZLWdLQb', 'pGVZMY7BSj', 'GBhZ6pWFNo', 'nksZw3aOvJ', 'kIRZUUimYN'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, hujg0XAwssmBOTDeL8.cs	High entropy of concatenated method names: 'kmkBSh0aHq', 'JntBxhoyAs', 'BPSF8nGZ9w', 'QcjF7H5ZYa', 'IRUBUKJokT', 'XCYBkV7xrN', 'UupB0llhMi', 'kbmB3v8YXR', 'oySBjqs7pC', 'gRGBVxY0Rt'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, UbCkuBEUJrMgmcxNvt.cs	High entropy of concatenated method names: 'edE9Vux0yP', 'Q7I9OPZNEH', 'gJ39vC8UlB', 'ToString', 'Jwp9AearTo', 'wQn9JwR1CO', 'ouWikFCKcLOdPV6cSyU', 'vH66SmCcsHfw414gYTj', 'cuSUcJClByLNpxcfsH0'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3ac4520.1.raw.unpack, dPZsLr7Tf0fITIIVKGr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mqQK3CWb9u', 'DVtKjD2NZw', 'fkaKVbpUhW', 'wIHKOeByuL', 'rS8KvGbhrh', 'mwnKAbxBc3', 'QLpKJCG9X5'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, GaowXKVR2aQlewcGrF.cs	High entropy of concatenated method names: 'ToString', 'VylHUeD0y1', 'TG3H1QcqBJ', 'mAJHcXNsAM', 'FPLHyE388n', 'Ex8HLuVye5', 'mQ3HEotB9g', 'e42HMCN0xq', 'oZCH6AsbWh', 'QJAHhwL2Ig'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, kGhQx8zW7tD4xUsS0k.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bjs4ZisBJ9', 'Gah4niDSSj', 'fNb4H1LVY3', 'h1q4B9tkAi', 'r6M4Fuy1Kx', 'jYO44dEcOR', 'Tl94KYJ7dk'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, Hgx8lB77ZHLunMZtJR4.cs	High entropy of concatenated method names: 'ToString', 'ahQKTX8yO1', 'LsGKC8OnbT', 'kx0KNII5aE', 'leaK5SF89a', 'TlPKbBvtGl', 'YmBKl6xZUT', 'OFAKXYvjXw', 'khtcTRgVZ0vfWsrEowT', 'Nq7b74gS6eiK70wDucg'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, jlAbg9bsAksQbn0BSt.cs	High entropy of concatenated method names: 'Dispose', 'A5m7a3Q87S', 'W7ur1d6Qd8', 'YKBFF3uqgW', 'rIx7xiO6RB', 'SCp7zZV244', 'ProcessDialogKey', 'IQtr8boXwj', 'B4Fr7H9HCm', 'tqmrrJvbZ7'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, DnVEL5hMsXVFgwadNK.cs	High entropy of concatenated method names: 'g2bYdUuH9N', 'I2RYsGF07S', 'cLmYI0fLJu', 'gUFYQiLa3f', 'Ry1Yot4sPQ', 'peJY2Pj098', 'AgEYGlhmDb', 'tihYiKkSWg', 'NuCYpe4M5A', 'xtEYmFMHHP'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, nVEBu9rlohQqSGc472.cs	High entropy of concatenated method names: 'BoXItfIAk', 'RkOQN6IGQ', 'n9525b6Fi', 'wUZG6d5BA', 'Ot0p3bQ9D', 'agOmjMyuS', 'IoDfQpphGyAyoL7a56', 'GXSZoXoP60Dgg9ayCa', 'neiFbHLN5', 'EmuKoUygj'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, t1Bk2Cij9OL7hxApyp.cs	High entropy of concatenated method names: 'IXgb3BRBH7', 'LmHbjLLj5U', 'r1pbVnkCQF', 'rYxbO1SGfh', 'xh1bvcQbol', 'HpCbA9xSUe', 'MdWbJ8huPy', 'YLqbSoVfJn', 'OUBbalUCAJ', 'D72bxEMCdx'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, Iu970e78CcvqscLfowb.cs	High entropy of concatenated method names: 'PJa4dvQ3Y8', 'MPc4sgG8S3', 'mAG4IquAh2', 'sVh4QKF6jQ', 'fK74oFwMdc', 'C7q42eD4RW', 'GAQ4G9TEli', 'fdg4imWRD6', 'wY74ptGU5k', 'Vfg4mAkvyC'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, zxiO6RSBVCpZV244cQ.cs	High entropy of concatenated method names: 'T49F53gePi', 'QqmFbUhaho', 'I21FlYvPOs', 'upcFXTEbvY', 'uwXF962L4s', 'yScFYIx7i0', 'UQMFWUL1k6', 'Tm3Fu9VYsS', 'BbXFgtosNg', 'rYhFPPL7I3'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, LHJoQNfyxfUVJRXEYU.cs	High entropy of concatenated method names: 'jtb9NOWrcE', 'be29bB5vI9', 'Brc9XCXhgx', 'TcZ9Y3oRZZ', 'yuS9WA0Vhe', 'hh8XvYSGpI', 'pJJXAXdkUH', 'mGZXJ2qIHp', 'uOJXS594mO', 'HiHXaDeaTM'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, MTeQYWpTVZnx5PdeIa.cs	High entropy of concatenated method names: 'QsRlQ0FIcB', 'h1hl2nhZ45', 'Mw3li0RWtE', 'wiNlpVRpPv', 'iPblnp3brf', 'Hx9lHXOTXB', 'UxnlBBhIOD', 'KgYlFLm4XA', 'L6Tl4IyJHa', 'ik3lKUT2x6'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, xxVZHBMeXZjnCaCF2V.cs	High entropy of concatenated method names: 'axTY5qST6l', 'OPGYl0cKLx', 'AJZY95bGrm', 'VVp9xeLyOF', 'D7t9zSweNA', 'OPlY8WBddt', 'Vq8Y7bkhIF', 'Wf0YroBBmp', 'siRYTV0089', 'rwjYCA5BWM'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, vboXwjao4FH9HCmDqm.cs	High entropy of concatenated method names: 'miAFfTfeLc', 'O4mF1xqAbP', 'kjcFcuAgwi', 'meTFy4LLnd', 'qxLF3FUXKd', 'MJcFLfeqt0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, ewdjABCc9fRB285i6r.cs	High entropy of concatenated method names: 'dgD7Y1Bk2C', 'R9O7WL7hxA', 'kTV7gZnx5P', 'xeI7PaOGbO', 'epT7nuXMHJ', 'BQN7HyxfUV', 'DJLTPF9rlMftA2497Z', 'syBcg8nMtwwTxxSyGj', 'Bkl77oR8xR', 'u627TQ1A6q'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, WvbZ7MxouRorWu0iPT.cs	High entropy of concatenated method names: 'BF6470p0tO', 'vnr4T3KALe', 'X3W4Cvg9JQ', 'To445hw9Zv', 'ip44b4MY37', 'QLv4Xfx9C2', 'bCM49LNdMB', 'bOSFJjEEDM', 'iaaFSq1AEm', 'PhLFaM1pQj'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, vxkXWX30uyfCGNcUlA.cs	High entropy of concatenated method names: 'BcOnwoe8Bq', 'ArWnkFZWAp', 'j0wn3echV9', 'Ca5njafGQK', 'u98n1S8Kek', 'lcgncNFhhh', 'wP2nyTfjUn', 'K3onLDmltg', 'JgFnEIiL0C', 'hxbnM0ktHp'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, d1gtjFWgBVSGOx5AjT.cs	High entropy of concatenated method names: 'n8GTN8EFZD', 'NoNT5Y8EeN', 'XHpTbjyd6p', 'TjmTldL46r', 'iWNTXAu50G', 'WPxT9409C3', 'HPcTYEvQBg', 'JChTWN3gll', 'eAnTufd4wc', 'oSOTgGn45J'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, hcT8ZLlpGEGA22NQ19.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'avqraDWDUw', 'CkNrxjItPl', 'Wi3rzVRN07', 'w8hT8J6ucZ', 'jqXT7KInFG', 'G0KTrtJn0O', 'aJyTTVGVSY', 'HZ3yoWXts4FKMoohc3h'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, s2A4VA0KwXsZsunAiV.cs	High entropy of concatenated method names: 'K8uZifLHGY', 'DsWZp1DHiV', 'OLFZfqkN2G', 'rARZ1aX732', 'KbwZyrKgnr', 'tYXZLWdLQb', 'pGVZMY7BSj', 'GBhZ6pWFNo', 'nksZw3aOvJ', 'kIRZUUimYN'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, hujg0XAwssmBOTDeL8.cs	High entropy of concatenated method names: 'kmkBSh0aHq', 'JntBxhoyAs', 'BPSF8nGZ9w', 'QcjF7H5ZYa', 'IRUBUKJokT', 'XCYBkV7xrN', 'UupB0llhMi', 'kbmB3v8YXR', 'oySBjqs7pC', 'gRGBVxY0Rt'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, UbCkuBEUJrMgmcxNvt.cs	High entropy of concatenated method names: 'edE9Vux0yP', 'Q7I9OPZNEH', 'gJ39vC8UlB', 'ToString', 'Jwp9AearTo', 'wQn9JwR1CO', 'ouWikFCKcLOdPV6cSyU', 'vH66SmCcsHfw414gYTj', 'cuSUcJClByLNpxcfsH0'
Source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.6f60000.5.raw.unpack, dPZsLr7Tf0fITIIVKGr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mqQK3CWb9u', 'DVtKjD2NZw', 'fkaKVbpUhW', 'wIHKOeByuL', 'rS8KvGbhrh', 'mwnKAbxBc3', 'QLpKJCG9X5'

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	File created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	File created: C:\Users\user\AppData\Roaming\jHJQWf.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp"

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZUHFqcY			Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZUHFqcY			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	File opened: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	File opened: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jHJQWf.exe PID: 8012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7532, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.0000000003201000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: 48B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: 8590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: 9590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: 9780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: A780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory allocated: 4F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: 2D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: 4D90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: 8930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: 9930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: 9B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: AB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: 14F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory allocated: 4F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 24D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 27B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 47B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 8560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 9560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 9750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: A750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 2D60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 4EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 8CD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 9EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: AEC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 16D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 31D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 1710000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5071	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 578	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8374	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 973	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Window / User API: threadDelayed 3080	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Window / User API: threadDelayed 2134	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Window / User API: threadDelayed 726
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Window / User API: threadDelayed 3924
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Window / User API: threadDelayed 724
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Window / User API: threadDelayed 4208
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Window / User API: threadDelayed 871
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Window / User API: threadDelayed 3612

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 7420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep count: 5071 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep count: 578 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8068	Thread sleep count: 3080 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -99768s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -99530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -99422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8068	Thread sleep count: 2134 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -98188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -98077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -97840s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -97717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -97595s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -97469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -97216s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe TID: 8036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2172	Thread sleep count: 726 > 30
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2172	Thread sleep count: 3924 > 30
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -99521s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -98896s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -98766s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -98641s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -98500s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -98391s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -98279s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -98171s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -98062s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -97953s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -97844s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -97734s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -97625s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -97515s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -97406s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -97296s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -97187s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -97078s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -96968s >= -30000s
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe TID: 2120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7964	Thread sleep count: 724 > 30
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7964	Thread sleep count: 4208 > 30
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -99325s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -98544s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -98437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -98328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -98134s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -97925s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -97765s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -97656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -97547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -97437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -97328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -97219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7932	Thread sleep time: -97078s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5344	Thread sleep count: 871 > 30
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5344	Thread sleep count: 3612 > 30
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -99764s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -99329s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -98985s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -98860s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -98735s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -98610s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -97735s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -97610s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -97485s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1912	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 99768	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 99530	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 98077	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 97840	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 97717	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 97595	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 97469	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 97216	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 99521
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 98896
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 98766
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 98641
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 98500
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 98391
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 98279
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 98171
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 98062
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 97953
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 97844
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 97734
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 97625
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 97515
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 97406
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 97296
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 97187
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 97078
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 96968
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99325
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98656
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98544
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98437
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98328
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98134
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97925
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97765
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97656
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97547
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97437
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97328
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97219
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97078
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99764
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99329
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99094
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98985
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98860
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98735
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98610
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97735
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97610
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97485
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477

Source: ZUHFqcY.exe, 00000019.00000002.2556822159.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: ZUHFqcY.exe, 00000019.00000002.2556822159.0000000003201000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: ZUHFqcY.exe, 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2553264071.0000000001336000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFOq
Source: jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1532255109.0000000006460000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.000000000658A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Code function: 9_2_014D70B8 CheckRemoteDebuggerPresent,

9_2_014D70B8

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jHJQWf.exe"
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jHJQWf.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Memory written: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Memory written: C:\Users\user\AppData\Roaming\jHJQWf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory written: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory written: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jHJQWf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Process created: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp9457.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process created: C:\Users\user\AppData\Roaming\jHJQWf.exe "C:\Users\user\AppData\Roaming\jHJQWf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Process created: C:\Users\user\AppData\Roaming\jHJQWf.exe "C:\Users\user\AppData\Roaming\jHJQWf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpB4A0.tmp"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpD6A0.tmp"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Users\user\AppData\Roaming\jHJQWf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Users\user\AppData\Roaming\jHJQWf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 11.2.jHJQWf.exe.3e392e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ZUHFqcY.exe.3857a30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.41b7860.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.ZUHFqcY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.417be40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3dfd8c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.41b7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3e392e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ZUHFqcY.exe.3857a30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.417be40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2556220086.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2556822159.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2556220086.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1513664213.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2556822159.0000000003227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2556822159.0000000003216000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1513664213.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2556274282.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2556220086.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1513664213.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2556274282.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2556274282.0000000002F77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jHJQWf.exe PID: 8012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jHJQWf.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 6524, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\jHJQWf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 11.2.jHJQWf.exe.3e392e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ZUHFqcY.exe.3857a30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.41b7860.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.ZUHFqcY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.417be40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3dfd8c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.41b7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3e392e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ZUHFqcY.exe.3857a30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.417be40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1513664213.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2556274282.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jHJQWf.exe PID: 8012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jHJQWf.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 6524, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 11.2.jHJQWf.exe.3e392e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ZUHFqcY.exe.3857a30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.41b7860.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.ZUHFqcY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.417be40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3dfd8c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.41b7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3e392e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.jHJQWf.exe.3dfd8c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.ZUHFqcY.exe.3857a30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.ZUHFqcY.exe.417be40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.3957c98.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n P13000996 pdf.exe.391c278.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2556220086.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2556822159.000000000324C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2556220086.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1513664213.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2556822159.0000000003227000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2556822159.0000000003216000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1513664213.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2556274282.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2556220086.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1513664213.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2556274282.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2556274282.0000000002F77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n P13000996 pdf.exe PID: 7836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jHJQWf.exe PID: 8012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jHJQWf.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 6524, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	34 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	631 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Cotizaci#U00f3n P13000996 pdf.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.GenSteal
Cotizaci#U00f3n P13000996 pdf.exe	59%	Virustotal		Browse
Cotizaci#U00f3n P13000996 pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\jHJQWf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.GenSteal
C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	59%	Virustotal		Browse
C:\Users\user\AppData\Roaming\jHJQWf.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.GenSteal
C:\Users\user\AppData\Roaming\jHJQWf.exe	59%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
us2.smtp.mailhostbox.com	2%	Virustotal		Browse
ip-api.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://us2.smtp.mailhostbox.com	2%	Virustotal		Browse
http://ip-api.com/line/?fields=hosting0	0%	Virustotal		Browse
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.198.143	true	true	2%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2553264071.0000000001336000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2578989621.00000000068CF000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1510235688.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.0000000006580000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.000000000658A000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001480000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.000000000322F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://ocsp.sectigo.com0A	Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2553264071.0000000001336000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2578989621.00000000068CF000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1510235688.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.0000000006580000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.000000000658A000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001480000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.000000000322F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://sectigo.com/CPS0	Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2553264071.0000000001336000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2578989621.00000000068CF000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2553339668.000000000144B000.00000004.00000020.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1510235688.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.0000000006580000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2578677718.000000000658A000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2553428808.0000000001480000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.000000000322F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com/line/?fields=hosting0	ZUHFqcY.exe, 00000019.00000002.2553428808.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://account.dyn.com/	Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ZUHFqcY.exe, 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.0000000003227000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Cotizaci#U00f3n P13000996 pdf.exe, 00000000.00000002.1324801590.000000000290E000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 0000000B.00000002.1370783365.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000011.00000002.1445199267.000000000280E000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000016.00000002.1533879364.0000000003171000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.00000000031DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	Cotizaci#U00f3n P13000996 pdf.exe, 00000009.00000002.2556274282.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, jHJQWf.exe, 00000010.00000002.2556220086.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000014.00000002.1513664213.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000019.00000002.2556822159.00000000031DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.198.143	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528679
Start date and time:	2024-10-08 09:04:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Cotizaci#U00f3n P13000996 pdf.exe renamed because original name is a hash value
Original Sample Name:	Cotizacin P13000996 pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@33/20@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 290 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:05:33	API Interceptor	27x Sleep call for process: Cotizaci#U00f3n P13000996 pdf.exe modified
03:05:35	API Interceptor	28x Sleep call for process: powershell.exe modified
03:05:37	API Interceptor	25x Sleep call for process: jHJQWf.exe modified
03:05:46	API Interceptor	49x Sleep call for process: ZUHFqcY.exe modified
09:05:36	Task Scheduler	Run new task: jHJQWf path: C:\Users\user\AppData\Roaming\jHJQWf.exe
09:05:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ZUHFqcY C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
09:05:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ZUHFqcY C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.198.143	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	New Order PO#86637.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	z1newpo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	z68ORDER.scr.exe	Get hash	malicious	AgentTesla	Browse
	z17invoice.exe	Get hash	malicious	AgentTesla	Browse
	z47maaaaaaaaaaaaax.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	product_list.xls	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Other.Malware-gen.12504.4949.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	giehjhgjzJ.hta	Get hash	malicious	Cobalt Strike, MassLogger RAT, Snake Keylogger	Browse
208.95.112.1	x2Yi9Hr77a.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	z71htmivzKAUpOkr2J.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RFQ 002593810024350.bat.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Request For Quotation.js	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PixpFUv4G7.exe	Get hash	malicious	Quasar, XWorm	Browse	ip-api.com/line/?fields=hosting
	H2f8SkAvdV.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	ip-api.com/json/?fields=225545
	A39tzaySzX.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	Bpz46JayQ4.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	Payment Advice - Advice Ref pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	z84TTREMITTANCEUSD347_432_63.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	PAYSLIP.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	SWIFT COPY.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	SecuriteInfo.com.Win32.RATX-gen.3768.11045.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	UPDATED FLOOR PLAN_3D.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
ip-api.com	x2Yi9Hr77a.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	z71htmivzKAUpOkr2J.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ 002593810024350.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	http://tcaconnect.ac-page.com/toronto-construction-association-inc/	Get hash	malicious	Unknown	Browse	51.77.64.70
	Request For Quotation.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PixpFUv4G7.exe	Get hash	malicious	Quasar, XWorm	Browse	208.95.112.1
	H2f8SkAvdV.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	208.95.112.1
	A39tzaySzX.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	shipping.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	order2024-10-07_174915.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	shipping.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	rInvoiceCM60916_xlx.exe	Get hash	malicious	FormBook	Browse	119.18.54.27
	Pending invoices.exe	Get hash	malicious	FormBook	Browse	119.18.54.27
	z1SupplyInvoiceCM60916_Doc.exe	Get hash	malicious	FormBook	Browse	119.18.54.27
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	New order.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	https://octo9.com.ng/Greula/	Get hash	malicious	Unknown	Browse	208.91.199.242
	https://hegekaka.za.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVZFNUpaM1U9JnVpZD1VU0VSMTYwOTIwMjRVMjMwOTE2MTk=N0123N	Get hash	malicious	Unknown	Browse	119.18.48.45
TUT-ASUS	x2Yi9Hr77a.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	z71htmivzKAUpOkr2J.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	scan_374783.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ 002593810024350.bat.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DHL_Doc.9787653446578978656879764534576879764545766456.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Request For Quotation.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PixpFUv4G7.exe	Get hash	malicious	Quasar, XWorm	Browse	208.95.112.1
	H2f8SkAvdV.exe	Get hash	malicious	Blank Grabber, XWorm	Browse	208.95.112.1
	A39tzaySzX.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	Bpz46JayQ4.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZUHFqcY.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jHJQWf.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\jHJQWf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:fLHyIFKL3IZ2KRH9Ougss
MD5:	47AE6B38874AA66FC6688784E5F2EF18
SHA1:	AF71A58235AE5D80BDDA79DE907697354E5553F6
SHA-256:	F271AAB7854518D80F39793CBA35D7BFDABBFBCAC9DBD8F5E79EAE393BDC4C98
SHA-512:	D8FD735141FBF25FE4EFB88E973F4416A50EC0E065A297BC8B398FF96AD77EE852EA2E66BD3CAFED7C4C9EE9D24742C3D95F03DD13DBC6C1B57BFDB2F40EF1A3
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ql0yhw0.mse.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_531jyh3d.4q5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibn1lnad.xeo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idtda2ui.n3g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kn5xsb0o.vk4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nv0n1m2g.uw5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfta0r4n.2x4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zizfyhcx.uwi.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp8543.tmp

Download File

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.128215157867174
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtHxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTRv
MD5:	4470876D0E0D1CA87E18C051AAC28DF0
SHA1:	8B85BD757EE2DB775F712EF9B6A12758EDDF1DFD
SHA-256:	25489087639934394516A7F8FFCA6A7E81AB996FF6E74C213E4F8A37AC2DCD91
SHA-512:	3245A8809A7D2D7D7D096B9C8D5FBAE6A347AE0794E8FE31943C8CA5A12912237E99C8BE7932055759E06A8A00F4029FB93E4D1EBC8127DEFC0E3DCB35CEA256
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmp9457.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\jHJQWf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.128215157867174
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtHxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTRv
MD5:	4470876D0E0D1CA87E18C051AAC28DF0
SHA1:	8B85BD757EE2DB775F712EF9B6A12758EDDF1DFD
SHA-256:	25489087639934394516A7F8FFCA6A7E81AB996FF6E74C213E4F8A37AC2DCD91
SHA-512:	3245A8809A7D2D7D7D096B9C8D5FBAE6A347AE0794E8FE31943C8CA5A12912237E99C8BE7932055759E06A8A00F4029FB93E4D1EBC8127DEFC0E3DCB35CEA256
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpB4A0.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.128215157867174
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtHxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTRv
MD5:	4470876D0E0D1CA87E18C051AAC28DF0
SHA1:	8B85BD757EE2DB775F712EF9B6A12758EDDF1DFD
SHA-256:	25489087639934394516A7F8FFCA6A7E81AB996FF6E74C213E4F8A37AC2DCD91
SHA-512:	3245A8809A7D2D7D7D096B9C8D5FBAE6A347AE0794E8FE31943C8CA5A12912237E99C8BE7932055759E06A8A00F4029FB93E4D1EBC8127DEFC0E3DCB35CEA256
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpD6A0.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.128215157867174
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtHxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTRv
MD5:	4470876D0E0D1CA87E18C051AAC28DF0
SHA1:	8B85BD757EE2DB775F712EF9B6A12758EDDF1DFD
SHA-256:	25489087639934394516A7F8FFCA6A7E81AB996FF6E74C213E4F8A37AC2DCD91
SHA-512:	3245A8809A7D2D7D7D096B9C8D5FBAE6A347AE0794E8FE31943C8CA5A12912237E99C8BE7932055759E06A8A00F4029FB93E4D1EBC8127DEFC0E3DCB35CEA256
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Download File

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	721920
Entropy (8bit):	7.895575991661574
Encrypted:	false
SSDEEP:	12288:uyU5mU+8o1XTsMGQ8rbHJwVKlwIuyrxLr45MF1R43MtK6jO7i1DIYop:vUx4TXGtHFlwIvN05MF1Tj4i1DMp
MD5:	CD3A6F4E87632D933A99502E32A34B73
SHA1:	0033645D2B94CF4E56C8EA6EB8508E3C2EE77B11
SHA-256:	B7C70CD300732D7FAAD3E5A898A93B0DBFF2A62EC9555EEF0997AF34BAA721CA
SHA-512:	5BB5961F2C0A22AC96DDBF6865CA73D308DA2A9D0D04B4265DEBEED062FF56E7CFF9CEE8BF428F027F0849F27D01D84FA9B0E0B6902E8B594CEAC2B7DA73DC0B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.g..............0.................. ... ....@.. .......................`............@.....................................O.... ..@....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H.......................f...............................................r...p}.....r...p}......}.....(%......(...........0...........(......s7....sA....sC.....{......s....s)...o&.....s....%..js....o.....%r!..po.....%.o.....oB.....s....%..js....o.....%r-..po.....oB.....s....%..js....o.....%..s'...(....o.....%rA..po.....oB......0...........rY..p..sd.....oe......+....0..]..........((...r...p().....(.....,,.(+....r...p(,....rl..p(,....(+......(-......sp.....ok......+..".(

C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\jHJQWf.exe

Download File

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	721920
Entropy (8bit):	7.895575991661574
Encrypted:	false
SSDEEP:	12288:uyU5mU+8o1XTsMGQ8rbHJwVKlwIuyrxLr45MF1R43MtK6jO7i1DIYop:vUx4TXGtHFlwIvN05MF1Tj4i1DMp
MD5:	CD3A6F4E87632D933A99502E32A34B73
SHA1:	0033645D2B94CF4E56C8EA6EB8508E3C2EE77B11
SHA-256:	B7C70CD300732D7FAAD3E5A898A93B0DBFF2A62EC9555EEF0997AF34BAA721CA
SHA-512:	5BB5961F2C0A22AC96DDBF6865CA73D308DA2A9D0D04B4265DEBEED062FF56E7CFF9CEE8BF428F027F0849F27D01D84FA9B0E0B6902E8B594CEAC2B7DA73DC0B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.g..............0.................. ... ....@.. .......................`............@.....................................O.... ..@....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H.......................f...............................................r...p}.....r...p}......}.....(%......(...........0...........(......s7....sA....sC.....{......s....s)...o&.....s....%..js....o.....%r!..po.....%.o.....oB.....s....%..js....o.....%r-..po.....oB.....s....%..js....o.....%..s'...(....o.....%rA..po.....oB......0...........rY..p..sd.....oe......+....0..]..........((...r...p().....(.....,,.(+....r...p(,....rl..p(,....(+......(-......sp.....ok......+..".(

C:\Users\user\AppData\Roaming\jHJQWf.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.895575991661574
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Cotizaci#U00f3n P13000996 pdf.exe
File size:	721'920 bytes
MD5:	cd3a6f4e87632d933a99502e32a34b73
SHA1:	0033645d2b94cf4e56c8ea6eb8508e3c2ee77b11
SHA256:	b7c70cd300732d7faad3e5a898a93b0dbff2a62ec9555eef0997af34baa721ca
SHA512:	5bb5961f2c0a22ac96ddbf6865ca73d308da2a9d0d04b4265debeed062ff56e7cff9cee8bf428f027f0849f27d01d84fa9b0e0b6902e8b594ceac2b7da73dc0b
SSDEEP:	12288:uyU5mU+8o1XTsMGQ8rbHJwVKlwIuyrxLr45MF1R43MtK6jO7i1DIYop:vUx4TXGtHFlwIvN05MF1Tj4i1DMp
TLSH:	6FE4124223F84720E5BE5BBC68B551610773752A3476EB4E1FD861DA2FB3B00DA2136B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5.g..............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	71f06930924d0f0f

Static PE Info

General

Entrypoint:	0x4b0b0a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x670435D0 [Mon Oct 7 19:26:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0ab8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x1340	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaeb10	0xaec00	53a7721da278c4d013904ffa5a7aca50	False	0.9291174892703863	data	7.903574933359164	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x1340	0x1400	77e9a854ffbc155c2a37d90a064087ac	False	0.7453125	data	6.915452560417603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	fc6727401350e6cd9f14ae1c5da2b377	False	0.044921875	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb20c8	0xf1a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8706673564407656
RT_GROUP_ICON	0xb2ff4	0x14	data	1.05
RT_VERSION	0xb3018	0x324	data	0.43034825870646765

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 09:05:36.986718893 CEST	49703	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:36.991792917 CEST	80	49703	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:36.992029905 CEST	49703	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:36.992609024 CEST	49703	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:36.997500896 CEST	80	49703	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:37.448484898 CEST	80	49703	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:37.500545979 CEST	49703	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:38.253792048 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:38.258630037 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:38.259516001 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:38.956059933 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:38.956639051 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:38.961442947 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.106472015 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.107036114 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:39.112052917 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.256877899 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.265038967 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:39.270136118 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.415335894 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.415358067 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.415369987 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.415381908 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.415430069 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:39.415481091 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:39.632514000 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.667587042 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:39.672509909 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.818269968 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.832828045 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:39.837794065 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:39.982234955 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.013746977 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:40.018785954 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.166311979 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.166763067 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:40.171675920 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.322602987 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.332192898 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:40.337132931 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.486315966 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.491415024 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:40.496129036 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.666874886 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.671698093 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:40.676610947 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.822315931 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.823065042 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:40.823223114 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:40.823223114 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:40.823223114 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:40.827948093 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.828016043 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.828365088 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:40.828375101 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:41.204366922 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:41.266129971 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:41.596164942 CEST	49714	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:41.601042986 CEST	80	49714	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:41.601130962 CEST	49714	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:41.601363897 CEST	49714	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:41.606163979 CEST	80	49714	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:42.059545040 CEST	80	49714	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:42.141021013 CEST	49714	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:42.904867887 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:42.909737110 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:42.909861088 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:43.459475040 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:43.482281923 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:43.487665892 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:43.634427071 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:43.672095060 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:43.677542925 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:43.823745966 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:43.969147921 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:43.971226931 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:44.047972918 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.048024893 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:44.048810005 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.194993019 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.195008993 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.195020914 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.195031881 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.195075035 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:44.195108891 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:44.283487082 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.285310984 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:44.290147066 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.437006950 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.451525927 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:44.456448078 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.602745056 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.603693008 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:44.608620882 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.757556915 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.757988930 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:44.762895107 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.916913033 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:44.917329073 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:44.922244072 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.069919109 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.078023911 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:45.082866907 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.252346039 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.252649069 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:45.257529020 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.409490108 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.410738945 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:45.410738945 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:45.410767078 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:45.411169052 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:45.415587902 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.415600061 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.415730953 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.415945053 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:45.943300962 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:46.002948046 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:46.003015995 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:48.710082054 CEST	49759	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:48.714982033 CEST	80	49759	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:48.715075970 CEST	49759	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:48.715424061 CEST	49759	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:48.720185041 CEST	80	49759	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:49.307698011 CEST	80	49759	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:49.359826088 CEST	49759	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:50.554665089 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:50.559557915 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:50.559631109 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:51.121752977 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.122091055 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:51.126996040 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.275674105 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.276014090 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:51.280832052 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.429217100 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.432869911 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:51.437721968 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.586508989 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.586524963 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.586535931 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.586549044 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.586558104 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.586673975 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:51.586673975 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:51.831466913 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.839519024 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:51.844346046 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:51.996965885 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.010677099 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:52.015536070 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.164490938 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.165150881 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:52.169894934 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.321716070 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.375463009 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:52.408664942 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:52.413516045 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.569191933 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.578851938 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:52.583688974 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.734436035 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.774533987 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:52.779450893 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.951318979 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:52.951594114 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:52.956438065 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:53.106390953 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:53.107546091 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:53.107623100 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:53.107623100 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:53.107646942 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:53.112643003 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:53.112682104 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:53.112694025 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:53.112705946 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:53.495871067 CEST	587	49766	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:53.547334909 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:57.460515976 CEST	49814	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:57.465435028 CEST	80	49814	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:57.465555906 CEST	49814	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:57.465842009 CEST	49814	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:57.470925093 CEST	80	49814	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:57.931749105 CEST	80	49814	208.95.112.1	192.168.2.7
Oct 8, 2024 09:05:57.984808922 CEST	49814	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:05:59.470340967 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:59.475217104 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:05:59.475291014 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:59.622479916 CEST	49766	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:05:59.623122931 CEST	49759	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:06:00.023420095 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.023641109 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:00.028460026 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.174598932 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.174848080 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:00.179691076 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.326050997 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.330692053 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:00.335665941 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.482381105 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.482393980 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.482417107 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.482428074 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.482436895 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.482487917 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:00.482568979 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:00.570821047 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.577060938 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:00.581917048 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.729408979 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.745356083 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:00.750336885 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.896162033 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:00.899461985 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:00.904282093 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.052623987 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.053253889 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:01.057998896 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.209738970 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.215512037 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:01.220352888 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.369013071 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.369333029 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:01.374114990 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.542599916 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.542912006 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:01.547688961 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.694866896 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.695661068 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:01.695729017 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:01.695760965 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:01.695800066 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:01.700531960 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.700544119 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.700603962 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:01.700896978 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:02.071592093 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:06:02.125464916 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:06:28.250833988 CEST	49703	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:06:28.256840944 CEST	80	49703	208.95.112.1	192.168.2.7
Oct 8, 2024 09:06:28.256962061 CEST	49703	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:06:28.505026102 CEST	80	49814	208.95.112.1	192.168.2.7
Oct 8, 2024 09:06:28.505187035 CEST	49814	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:06:32.910300970 CEST	49714	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:06:32.916313887 CEST	80	49714	208.95.112.1	192.168.2.7
Oct 8, 2024 09:06:32.916397095 CEST	49714	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:06:49.488372087 CEST	49814	80	192.168.2.7	208.95.112.1
Oct 8, 2024 09:06:49.493614912 CEST	80	49814	208.95.112.1	192.168.2.7
Oct 8, 2024 09:07:18.266652107 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:18.271576881 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:18.415889978 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:18.416250944 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:18.416333914 CEST	587	49705	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:18.416336060 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:18.416380882 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:18.419171095 CEST	49705	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:22.922956944 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:22.927782059 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:23.075378895 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:23.076144934 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:23.076191902 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:23.076339960 CEST	587	49720	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:23.076383114 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:23.079317093 CEST	49720	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:39.501251936 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:39.506499052 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:39.653397083 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:39.653776884 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:39.653989077 CEST	587	49826	208.91.198.143	192.168.2.7
Oct 8, 2024 09:07:39.654314041 CEST	49826	587	192.168.2.7	208.91.198.143
Oct 8, 2024 09:07:39.656872034 CEST	49826	587	192.168.2.7	208.91.198.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 09:05:36.948837042 CEST	53105	53	192.168.2.7	1.1.1.1
Oct 8, 2024 09:05:36.955878019 CEST	53	53105	1.1.1.1	192.168.2.7
Oct 8, 2024 09:05:38.244112968 CEST	58777	53	192.168.2.7	1.1.1.1
Oct 8, 2024 09:05:38.252986908 CEST	53	58777	1.1.1.1	192.168.2.7
Oct 8, 2024 09:05:57.443944931 CEST	62093	53	192.168.2.7	1.1.1.1
Oct 8, 2024 09:05:57.450669050 CEST	53	62093	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 09:05:36.948837042 CEST	192.168.2.7	1.1.1.1	0xc6d8	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 09:05:38.244112968 CEST	192.168.2.7	1.1.1.1	0xa557	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false
Oct 8, 2024 09:05:57.443944931 CEST	192.168.2.7	1.1.1.1	0xb21c	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 09:05:36.955878019 CEST	1.1.1.1	192.168.2.7	0xc6d8	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Oct 8, 2024 09:05:38.252986908 CEST	1.1.1.1	192.168.2.7	0xa557	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false
Oct 8, 2024 09:05:38.252986908 CEST	1.1.1.1	192.168.2.7	0xa557	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false
Oct 8, 2024 09:05:38.252986908 CEST	1.1.1.1	192.168.2.7	0xa557	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false
Oct 8, 2024 09:05:38.252986908 CEST	1.1.1.1	192.168.2.7	0xa557	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false
Oct 8, 2024 09:05:57.450669050 CEST	1.1.1.1	192.168.2.7	0xb21c	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	208.95.112.1	80	7836	C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 09:05:36.992609024 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 8, 2024 09:05:37.448484898 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 07:05:37 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49714	208.95.112.1	80	7092	C:\Users\user\AppData\Roaming\jHJQWf.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 09:05:41.601363897 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 8, 2024 09:05:42.059545040 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 07:05:41 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 55 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49759	208.95.112.1	80	7744	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 09:05:48.715424061 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 8, 2024 09:05:49.307698011 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 07:05:48 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 48 X-Rl: 42 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49814	208.95.112.1	80	6524	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 09:05:57.465842009 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 8, 2024 09:05:57.931749105 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 07:05:57 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 39 X-Rl: 41 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 8, 2024 09:05:38.956059933 CEST	587	49705	208.91.198.143	192.168.2.7	220 us2.outbound.mailhostbox.com ESMTP Postfix
Oct 8, 2024 09:05:38.956639051 CEST	49705	587	192.168.2.7	208.91.198.143	EHLO 887849
Oct 8, 2024 09:05:39.106472015 CEST	587	49705	208.91.198.143	192.168.2.7	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 8, 2024 09:05:39.107036114 CEST	49705	587	192.168.2.7	208.91.198.143	STARTTLS
Oct 8, 2024 09:05:39.256877899 CEST	587	49705	208.91.198.143	192.168.2.7	220 2.0.0 Ready to start TLS
Oct 8, 2024 09:05:43.459475040 CEST	587	49720	208.91.198.143	192.168.2.7	220 us2.outbound.mailhostbox.com ESMTP Postfix
Oct 8, 2024 09:05:43.482281923 CEST	49720	587	192.168.2.7	208.91.198.143	EHLO 887849
Oct 8, 2024 09:05:43.634427071 CEST	587	49720	208.91.198.143	192.168.2.7	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 8, 2024 09:05:43.672095060 CEST	49720	587	192.168.2.7	208.91.198.143	STARTTLS
Oct 8, 2024 09:05:43.823745966 CEST	587	49720	208.91.198.143	192.168.2.7	220 2.0.0 Ready to start TLS
Oct 8, 2024 09:05:44.047972918 CEST	587	49720	208.91.198.143	192.168.2.7	220 2.0.0 Ready to start TLS
Oct 8, 2024 09:05:51.121752977 CEST	587	49766	208.91.198.143	192.168.2.7	220 us2.outbound.mailhostbox.com ESMTP Postfix
Oct 8, 2024 09:05:51.122091055 CEST	49766	587	192.168.2.7	208.91.198.143	EHLO 887849
Oct 8, 2024 09:05:51.275674105 CEST	587	49766	208.91.198.143	192.168.2.7	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 8, 2024 09:05:51.276014090 CEST	49766	587	192.168.2.7	208.91.198.143	STARTTLS
Oct 8, 2024 09:05:51.429217100 CEST	587	49766	208.91.198.143	192.168.2.7	220 2.0.0 Ready to start TLS
Oct 8, 2024 09:06:00.023420095 CEST	587	49826	208.91.198.143	192.168.2.7	220 us2.outbound.mailhostbox.com ESMTP Postfix
Oct 8, 2024 09:06:00.023641109 CEST	49826	587	192.168.2.7	208.91.198.143	EHLO 887849
Oct 8, 2024 09:06:00.174598932 CEST	587	49826	208.91.198.143	192.168.2.7	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 8, 2024 09:06:00.174848080 CEST	49826	587	192.168.2.7	208.91.198.143	STARTTLS
Oct 8, 2024 09:06:00.326050997 CEST	587	49826	208.91.198.143	192.168.2.7	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	03:05:33
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"
Imagebase:	0x550000
File size:	721'920 bytes
MD5 hash:	CD3A6F4E87632D933A99502E32A34B73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1325398884.000000000391C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:05:34
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"
Imagebase:	0xe90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:05:34
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:05:34
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jHJQWf.exe"
Imagebase:	0xe90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:05:34
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:05:34
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp8543.tmp"
Imagebase:	0x4d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:05:34
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x290000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:05:34
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Cotizaci#U00f3n P13000996 pdf.exe"
Imagebase:	0xbf0000
File size:	721'920 bytes
MD5 hash:	CD3A6F4E87632D933A99502E32A34B73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2556274282.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2556274282.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2556274282.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2556274282.0000000002F77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:05:36
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\jHJQWf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\jHJQWf.exe
Imagebase:	0x9e0000
File size:	721'920 bytes
MD5 hash:	CD3A6F4E87632D933A99502E32A34B73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1379159388.0000000003DFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs Detection: 59%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:05:36
Start date:	08/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	03:05:38
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmp9457.tmp"
Imagebase:	0x4d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:05:38
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:05:39
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\jHJQWf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\jHJQWf.exe"
Imagebase:	0x1a0000
File size:	721'920 bytes
MD5 hash:	CD3A6F4E87632D933A99502E32A34B73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:05:39
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\jHJQWf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\jHJQWf.exe"
Imagebase:	0xc60000
File size:	721'920 bytes
MD5 hash:	CD3A6F4E87632D933A99502E32A34B73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2556220086.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2556220086.0000000002E86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2556220086.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	03:05:44
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Imagebase:	0x490000
File size:	721'920 bytes
MD5 hash:	CD3A6F4E87632D933A99502E32A34B73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.1446850415.000000000381C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs Detection: 59%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:05:46
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpB4A0.tmp"
Imagebase:	0x4d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:05:46
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:05:46
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Imagebase:	0xb70000
File size:	721'920 bytes
MD5 hash:	CD3A6F4E87632D933A99502E32A34B73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.1513664213.0000000002F1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.1513664213.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.1509756030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.1513664213.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.1513664213.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	04:21:40
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Imagebase:	0xc90000
File size:	721'920 bytes
MD5 hash:	CD3A6F4E87632D933A99502E32A34B73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.1540482760.000000000417B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	04:21:41
Start date:	08/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jHJQWf" /XML "C:\Users\user\AppData\Local\Temp\tmpD6A0.tmp"
Imagebase:	0x4d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:21:41
Start date:	08/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	04:21:41
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Imagebase:	0xdb0000
File size:	721'920 bytes
MD5 hash:	CD3A6F4E87632D933A99502E32A34B73
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.2556822159.000000000324C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.2556822159.0000000003227000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.2556822159.0000000003216000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	184
Total number of Limit Nodes:	6

Executed Functions

Function 08576108 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7a3f608860dd95665b482f099de24f84851860620e6ead795c9f21e02f3db2
Instruction ID: af63d97aeabe52c2ece119968e8b8adacdc6e31bc589944c33b9190db7998d8a
Opcode Fuzzy Hash: 2b7a3f608860dd95665b482f099de24f84851860620e6ead795c9f21e02f3db2
Instruction Fuzzy Hash: BE826C74A00A0ADFCB15CF68E984AAEBBF2FF98311F15C569E4059B3A1D730E941CB51

Function 08572E90 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e53432cf1fb93395b1759d371d4d6b97424328f9dcfed7b58268c96ee728eeb
Instruction ID: f9dd316dfda6c40c9e5d5f5fea918e98c35a04296a9d95ba70f1a37589dcd648
Opcode Fuzzy Hash: 5e53432cf1fb93395b1759d371d4d6b97424328f9dcfed7b58268c96ee728eeb
Instruction Fuzzy Hash: 0E229D70A002199FDB14DF69E854BAEBBB6FF88311F548569E806DB390DF349C42CB94

Function 085735F8 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dbe30452facb1a583cb9887bdbe557ea6448db3294e87f36b6eb937b94d9f2f
Instruction ID: 41f8efacce119eeb64906a00d370fcad10dd78b4e6d38ad0985e6f85090c9192
Opcode Fuzzy Hash: 4dbe30452facb1a583cb9887bdbe557ea6448db3294e87f36b6eb937b94d9f2f
Instruction Fuzzy Hash: 63D14A71A00119DFDB14CFA9E984AEDBBB2BF88321F95C069E405AB361D731E941DF50

Function 06C70DF9 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb724a68964ebe52b7854924ab292a256bb7801b737c9b360447c6b561396050
Instruction ID: f23db1d9ea269f28bce4a64f2b01e492f5e916fcdd616c2551368cc44e265f48
Opcode Fuzzy Hash: fb724a68964ebe52b7854924ab292a256bb7801b737c9b360447c6b561396050
Instruction Fuzzy Hash: 842109B1D056588BEB18CF67D8443EEBFF2AFC9300F18C06AD409A6265DB7009458B90

Function 06C70E08 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7add913821121f69805f91ec98ca873e351aca00595aa1c6a225568a197329d
Instruction ID: 1fabcd54aaa80771c65a6268fd74ee7e7cdd4f2a33da3f01fda6ca5361c85844
Opcode Fuzzy Hash: c7add913821121f69805f91ec98ca873e351aca00595aa1c6a225568a197329d
Instruction Fuzzy Hash: 0D1107B1D046188BEB18CF6BD9443DEFAF7AFC8300F08C06A9409B6264DB7005458F90

Function 06C79F9E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2acc2c2ec2207592f4ec32c2fd4f9b34c5d3f15c621948826cd8eee7c78f4c
Instruction ID: f6924e0a97cd0cf80335fbe302adf652ca7f9c883523e20a12d5b0729df7536a
Opcode Fuzzy Hash: 3e2acc2c2ec2207592f4ec32c2fd4f9b34c5d3f15c621948826cd8eee7c78f4c
Instruction Fuzzy Hash: F1B01200D9F7878DE3D22B3238002B9EB3C5657010B4574438045B31132C108401139C

Function 085786A0 Relevance: 2.7, Strings: 2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0,Wq, xrefs: 08578702
%*&/)(#$^@!~-_, xrefs: 085786D9

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_$0,Wq
API String ID: 0-1692081166
Opcode ID: afcfacd7cd293b75d56b8fe4fdba3e6e9b41c35bfedac2304412c8e0564cb206
Instruction ID: e5a576d9298582718d4c4e002e4c96196130f3432ebe71f19a5be8b6d2273bca
Opcode Fuzzy Hash: afcfacd7cd293b75d56b8fe4fdba3e6e9b41c35bfedac2304412c8e0564cb206
Instruction Fuzzy Hash: D3517E35F102149BE704AF68D8456ADBBB3FF89300F1588ADD895AB385CF316D4ACB85

Function 085786B0 Relevance: 2.7, Strings: 2, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0,Wq, xrefs: 08578702
%*&/)(#$^@!~-_, xrefs: 085786D9

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_$0,Wq
API String ID: 0-1692081166
Opcode ID: 1be4e359bb3edcfc6c130aad3907bcc546cef461c1f44a175116ab4160a168b1
Instruction ID: ec839344cfbd3e2722e6ba3c27734186f16c0f7809d1fca4847068546bb4b9de
Opcode Fuzzy Hash: 1be4e359bb3edcfc6c130aad3907bcc546cef461c1f44a175116ab4160a168b1
Instruction Fuzzy Hash: 74516D31F102549BE704AB68D8456ADBBB3FF89300F1588ADE8956B385CF31694AC785

Function 06C76B71 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C76DAE

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e44d3ea870786d794a0dfab20e324fe5715093b2c193bdbfd37359821587800f
Instruction ID: c174838a6034a8ae2e835be36c40b771b48a7d1856f99a1f27c4de91d584ea59
Opcode Fuzzy Hash: e44d3ea870786d794a0dfab20e324fe5715093b2c193bdbfd37359821587800f
Instruction Fuzzy Hash: 44915871D006198FEF64DF69CC44BEDBBB2EF48310F1485AAE809A7240DB759A85CF91

Function 06C76B78 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C76DAE

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9817318cec16282630624c41ea85142b5852d628a3e9ada7202107e4c6af2183
Instruction ID: 79ded95206fec82b0d8731887149d8d33c4dc2d9d69da4cafbe0ccadc55f5517
Opcode Fuzzy Hash: 9817318cec16282630624c41ea85142b5852d628a3e9ada7202107e4c6af2183
Instruction Fuzzy Hash: B5915971D006198FEF64DF6ACC44BADBAB2FF48300F1485A9E808A7240DB759A85CF91

Function 026FAD48 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 026FAF9E

Memory Dump Source

Source File: 00000000.00000002.1324648272.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26f0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e2ce14feaabba47e6156176fb893031c247056f3f2a8f2eddc589c9967ea9b78
Instruction ID: d70bee8288ed997f06f06afbfafaaf58f10f8fb15d9c6ddaca937d51d1d66b03
Opcode Fuzzy Hash: e2ce14feaabba47e6156176fb893031c247056f3f2a8f2eddc589c9967ea9b78
Instruction Fuzzy Hash: 26813670A00B058FDB64DF69D44075ABBF2BF88304F00892DD58ADBB50EB75A805CB95

Function 026F590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026F59C9

Memory Dump Source

Source File: 00000000.00000002.1324648272.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26f0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7510ae5911cb24c5fdc2e1f134319bc91c2cf710c8263f9f07d95207d452cde0
Instruction ID: 3b3feb962dd38bb73110fa5b72db928082a63eee2c2973d6549390a2694465f5
Opcode Fuzzy Hash: 7510ae5911cb24c5fdc2e1f134319bc91c2cf710c8263f9f07d95207d452cde0
Instruction Fuzzy Hash: 6141E171C00719CBEF28CFAAC884B8DBBB5BF49714F60805AD509AB251DB75694ACF90

Function 026F44E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026F59C9

Memory Dump Source

Source File: 00000000.00000002.1324648272.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26f0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 36cbb99138b8cc6f846a48a540b7609c1da485baafb090872bf26fa7bbc7b204
Instruction ID: ab88ef41423b6bbb6d572be18c220d7dbd52e9330bcc14155613bb2047d59926
Opcode Fuzzy Hash: 36cbb99138b8cc6f846a48a540b7609c1da485baafb090872bf26fa7bbc7b204
Instruction Fuzzy Hash: 5841D070C0071DCBEB28DFA9C884B9DBBB5FF49304F60805AD509AB251DB75694ACF90

Function 026FD6E1 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026FD5E6,?,?,?,?,?), ref: 026FD6A7

Memory Dump Source

Source File: 00000000.00000002.1324648272.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26f0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0da8102233f1d73813566f663b47b0b768041678148f662a68da7ee1975eaae5
Instruction ID: 91fb98ddc2b4dbdd5a0fd8908f74cd10ecda29ca86812a3e5e828f3356780430
Opcode Fuzzy Hash: 0da8102233f1d73813566f663b47b0b768041678148f662a68da7ee1975eaae5
Instruction Fuzzy Hash: 9831A1346403898FE705EFA1E4587697BB1F7C8312F118569E9159B3D8EBB89C45CF20

Function 06C768E8 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C76980

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6c888853cfc7344523c20fc3d30d9c52b33c7c5c60a806c3e3bf0a590386e503
Instruction ID: 8e6bf5ede3b850440409e3e7945a53008313f8b080f3993154ca184b28978984
Opcode Fuzzy Hash: 6c888853cfc7344523c20fc3d30d9c52b33c7c5c60a806c3e3bf0a590386e503
Instruction Fuzzy Hash: 302135769003599FDB24CFAAC884BDEBBF5FF48310F10842AE958A7241D7789944CBA4

Function 06C768F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C76980

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b760bb10881201b0ab6fd38323ef52f2a6c56770536bda758dc4cb4845f9bd77
Instruction ID: 0743c9a82d3e0c8797da11057c651694ad0c6d81c35a361ea65c636661ff218f
Opcode Fuzzy Hash: b760bb10881201b0ab6fd38323ef52f2a6c56770536bda758dc4cb4845f9bd77
Instruction Fuzzy Hash: 00212775D003499FDB10CFAAC884BDEBBF5FF48310F10842AE959A7240D7799954CBA4

Function 06C76750 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C767D6

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b163f6590d661b430141bb5226a868021e8039c7992ddeafce77912ae94c45da
Instruction ID: 54ab1c0adeee6f26a5e8fdeb2a37b1c1ca7f81116d7738c4ec00af1654ec066d
Opcode Fuzzy Hash: b163f6590d661b430141bb5226a868021e8039c7992ddeafce77912ae94c45da
Instruction Fuzzy Hash: 0F214875D003489FDB14DFAAC484BEEBBF4AF88320F14842ED459A7241CB789945CFA1

Function 06C769D8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C76A60

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9aa6b944dec97dc11ab41d8bf633ec60aa2d343a151935f39a41ade73f4d89fe
Instruction ID: edf946acf64e9cfa2fea8e02b9ca859777fa5604218a2dea8225bc1fc70eb4a9
Opcode Fuzzy Hash: 9aa6b944dec97dc11ab41d8bf633ec60aa2d343a151935f39a41ade73f4d89fe
Instruction Fuzzy Hash: 92212771C003599FDB10CFAAC880BEEBBF5FF48310F10842AE918A7250D7789940CBA5

Function 026FB730 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026FD5E6,?,?,?,?,?), ref: 026FD6A7

Memory Dump Source

Source File: 00000000.00000002.1324648272.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26f0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c5061513030e90ec8ddb05506a6f66fc08d747584fa1fe68b8a2540d55151da8
Instruction ID: 60b716474bb429d40fa648b3a6c8f1746d1d16f30327a12ee37ecd6936aa162b
Opcode Fuzzy Hash: c5061513030e90ec8ddb05506a6f66fc08d747584fa1fe68b8a2540d55151da8
Instruction Fuzzy Hash: 8C21E4B5D002489FDF10CFAAD984ADEFBF5EB48310F24841AE918A7350D378A954CFA5

Function 026FD619 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026FD5E6,?,?,?,?,?), ref: 026FD6A7

Memory Dump Source

Source File: 00000000.00000002.1324648272.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26f0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5230bde299ac2907b4a5f17a86888801daabb66c3a5053a75e1110b0ee70cd4f
Instruction ID: 7c71ce1e0ec04b58fd6e08d16fcc58dfb3fd7fa1a4a1ca577cfef86f1f549212
Opcode Fuzzy Hash: 5230bde299ac2907b4a5f17a86888801daabb66c3a5053a75e1110b0ee70cd4f
Instruction Fuzzy Hash: 5521E4B5D002489FDF10CFAAD984ADEBBF5EB48324F24841AE918A7350D378A944CF65

Function 06C76758 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C767D6

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cfec1df1099239a46546b539f4819ee8bd0583da13e81996555bf6e5ed44bec6
Instruction ID: 613ea97f2a92971aac37b4d7d2f93ee18ee0ff6fece79f69a2049b5ecb8f7b48
Opcode Fuzzy Hash: cfec1df1099239a46546b539f4819ee8bd0583da13e81996555bf6e5ed44bec6
Instruction Fuzzy Hash: D4212575D003088FDB14DFAAC485BAEBBF5EF88320F14842AD419A7240DB789944CFA4

Function 06C769E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C76A60

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6699a5b04511c982a93ef97d9affab628c67522b91213492815ae2ed9471d670
Instruction ID: e5a8c8b22ccd9be25509d52dd0fea623ebadb93f27e444878fb5a07873e3161f
Opcode Fuzzy Hash: 6699a5b04511c982a93ef97d9affab628c67522b91213492815ae2ed9471d670
Instruction Fuzzy Hash: CA2116B1C003599FDB10DFAAC840BEEBBF5FF48320F10842AE918A7240D7799940CBA5

Function 06C7ADE1 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C7AE45

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 969a78bc3ef3fc38c6b2d27f3be12575a8b7d6be315aeb1570e64481b6e692ec
Instruction ID: 549bc5a9305745a91776911bd8a90aae227268755dd4a89d5a03943d69238f2b
Opcode Fuzzy Hash: 969a78bc3ef3fc38c6b2d27f3be12575a8b7d6be315aeb1570e64481b6e692ec
Instruction Fuzzy Hash: C02113B68003489FDB20DF99D844BDEFBF4EB88320F20841AD558A7611C379A954CFA5

Function 06C76828 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C7689E

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ff0d3a6d8bcfb4115a5f656a32b9862a87cc0f206b88f4971ba142b6f60133a
Instruction ID: 349c4485d94f3719e4caddcc240bc38e56e008b61b6cf72854533f12880d261f
Opcode Fuzzy Hash: 1ff0d3a6d8bcfb4115a5f656a32b9862a87cc0f206b88f4971ba142b6f60133a
Instruction Fuzzy Hash: B11136769002489FDB20DFAAD844BDEBBF1AF88320F14841AD919A7250C6799944CFA0

Function 06C76268 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C762D2

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c7bafe71a16c855c17d795f1814fd0be3b699a7be3224abcfa27caeae3b803da
Instruction ID: 918f04cff3f059ef064842c5da64fdd2a679c6ca846ad2315afa9ce3d850ca78
Opcode Fuzzy Hash: c7bafe71a16c855c17d795f1814fd0be3b699a7be3224abcfa27caeae3b803da
Instruction Fuzzy Hash: 9E1126B5D002488FDB24DFAAD445BDEBBF5AF88320F24881EC459A7240DB799945CFA4

Function 06C76830 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C7689E

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06c3eec53d4cb71fab946c6de4c5a223af13f6cc781493d77258b568dd762404
Instruction ID: c6bb8da4f70ec2c3d36a1de7af24e136ac6badcf50717a83075bfb4afcd49699
Opcode Fuzzy Hash: 06c3eec53d4cb71fab946c6de4c5a223af13f6cc781493d77258b568dd762404
Instruction Fuzzy Hash: EA1129759003489FDB24DFAAC844BDEBBF5EF88310F14841AD919A7250C7799544CFA4

Function 06C76270 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06C762D2

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e758da2328f047704a7d243e80c09426acdf2a908bcde80a30a4cf43b5a90340
Instruction ID: 25849f8f6f4fc354614782f2e2da92fea0b340c1bc6fa4e31889d5c597a7907c
Opcode Fuzzy Hash: e758da2328f047704a7d243e80c09426acdf2a908bcde80a30a4cf43b5a90340
Instruction Fuzzy Hash: 191128B1D003488FDB24DFAAC845BDEFBF5EF88320F14841AD519A7240CB79A944CBA4

Function 06C75024 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C7AE45

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1077b142875db62214318505b3d0f23b26b8054204c404fa80767d693f2e8f4d
Instruction ID: 549396fa9f74375761a8067004637f899b445d2b39fde23a2bdaff8d8716f06a
Opcode Fuzzy Hash: 1077b142875db62214318505b3d0f23b26b8054204c404fa80767d693f2e8f4d
Instruction Fuzzy Hash: 2F1103B580034D9FDB20DF9AD845BDEBBF8EB48320F10841AE958A7610D379A954CFA5

Function 026FAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 026FAF9E

Memory Dump Source

Source File: 00000000.00000002.1324648272.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26f0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d5b1ae62a1abded330b0f87ee3c6039933e93500d7ae4b4f02cf8ffd6e5a0180
Instruction ID: dacf1cb7e2abca8f1599c149ca59e5133aa8be6dee69f9715e43d361921767fc
Opcode Fuzzy Hash: d5b1ae62a1abded330b0f87ee3c6039933e93500d7ae4b4f02cf8ffd6e5a0180
Instruction Fuzzy Hash: 4B1110B6C002498FDB20CF9AD544BDEFBF5EB88224F10841AD918A7610D379A545CFA1

Function 08573BE0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e8f055f1455ca5fc4be97be7dd385e8c1f2d0190ab5ad2082bdcbe26e588b3
Instruction ID: 9931556c790f49c743d9fe81708f4bf894a42b27e3bc081f6251d8e51d5dd0d7
Opcode Fuzzy Hash: e7e8f055f1455ca5fc4be97be7dd385e8c1f2d0190ab5ad2082bdcbe26e588b3
Instruction Fuzzy Hash: 09127D30A00208CFCB24DF69E984A9EBBF5FF88315F548559E8199B361DB35ED42CB54

Function 08577BF8 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd44d95668739ce01abdf66ab9fc26c1db038f9efe08d0bdb8e70b60d4ac598
Instruction ID: 2a1e122ac3a27f77142b7c49b56d20a65f402f169dc62c82f238603555e22b12
Opcode Fuzzy Hash: 6bd44d95668739ce01abdf66ab9fc26c1db038f9efe08d0bdb8e70b60d4ac598
Instruction Fuzzy Hash: 0BF10B75A00619CFCB04DF69E598AADBBF6FF8C311B1681A9E415AB361CB30EC41CB54

Function 08577408 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a1b9de3c326cf539b994ce1d1fcc1e740acf2176510a78f5b15b36bca50fe9
Instruction ID: 5079ccf19e34aa6c557a12cd43412a855d61ebf994573eeb0d2b99438814ff3c
Opcode Fuzzy Hash: 16a1b9de3c326cf539b994ce1d1fcc1e740acf2176510a78f5b15b36bca50fe9
Instruction Fuzzy Hash: 85F13730A0061ADFDB11CF95E580DAEBBF6FF88301B16C569E955AB291C734E851CB90

Function 08575AF0 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3119c622e4eee6b3ea4760d8ec3e36d8cabe349651c6fff22efbcd1debe9c222
Instruction ID: f00f9d9c933bf0ba46a310c4cc03f7123faf6679c0f8639d5ff732752535e3f6
Opcode Fuzzy Hash: 3119c622e4eee6b3ea4760d8ec3e36d8cabe349651c6fff22efbcd1debe9c222
Instruction Fuzzy Hash: 45C1E030600605CFC710CF68D984B6ABBBAFF85311F54C5AAE919DB391E731E912CBA1

Function 08572410 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a738c863e22537fcffd698a0d717cf2861276d9b73ffac580442d0c995961d8
Instruction ID: d06744674b08e9a6d368d40e97b9bdee7e83501c095254f7cc1ccb78f0dd34fe
Opcode Fuzzy Hash: 1a738c863e22537fcffd698a0d717cf2861276d9b73ffac580442d0c995961d8
Instruction Fuzzy Hash: 4BB18B347042548FEB159F39E958B2A7BA7BB88312F14896DE806CB390DF35C846CB91

Function 08575170 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db8c734103273c53dd233c5dd71758db056ec33aa880db991dbe0c95c4dce09
Instruction ID: 9048dafaf79ddb209a4f745717659fa8f87ad8a1e236f5cea67c1df3044c78f2
Opcode Fuzzy Hash: 6db8c734103273c53dd233c5dd71758db056ec33aa880db991dbe0c95c4dce09
Instruction Fuzzy Hash: 04B15F343206518FEB259B29E854B3D7AA6FF85603F18846EE103CF3A5FA69DC42C751

Function 08573BD0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0dbc76e30610232222c13426b5ca3d7be332da2cb7c10255d2d8f095b17db4
Instruction ID: a078e4ae4cd0309ee01969ca99dfd1f0f49d25ba78063492844dfadd4b75c45e
Opcode Fuzzy Hash: 9e0dbc76e30610232222c13426b5ca3d7be332da2cb7c10255d2d8f095b17db4
Instruction Fuzzy Hash: A6C15830A00209DFCB14CF69E984A9EBBF6BF88315F54C559E819AB361D735EC42CB54

Function 08572970 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ef816cc3da3b032009bd797e04c2f96a5afebf4f3a15f96bfa6fc93330e832
Instruction ID: e4f0909f0c851f1c9b31924f0baccf89e60ac4d1ff4148c7b49cf84f19fc0e2a
Opcode Fuzzy Hash: 48ef816cc3da3b032009bd797e04c2f96a5afebf4f3a15f96bfa6fc93330e832
Instruction Fuzzy Hash: 9C818034B00605CFDB14CF69E888A6AB7B2FF89216F14C569D50BDB365DB31E842CB91

Function 085741B0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2334037dff0c84c8022841908365e227acfd9c9875e8ee162899feba47174188
Instruction ID: f8923f165718ca48ebe4126736f033c3c4a10fee969eb2fb1408f9ee1f416dd6
Opcode Fuzzy Hash: 2334037dff0c84c8022841908365e227acfd9c9875e8ee162899feba47174188
Instruction Fuzzy Hash: 23712734710205CFCB15DF68E894A6E7BE5BF49212F1980A9E80ACB3B1DB70DC81CB94

Function 0857C63F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4237c31c62a462bb166f11d127e90979c44b626207d30b5d3477bffa2e02f06
Instruction ID: 62920a57cef1d3837382fe421832813286a4eab23b98c54028e93a6323044160
Opcode Fuzzy Hash: b4237c31c62a462bb166f11d127e90979c44b626207d30b5d3477bffa2e02f06
Instruction Fuzzy Hash: 6F51E574F04645DFEB04DFA9E440BBEBAB2BB84312F10C566E556A73C0CB359D428B91

Function 085771B0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a09ab1f1b028c56dfe56c0c8e4b93cd56207172645310167d2be75d1baad96f
Instruction ID: bfe3dbe8033f09800076a222738481674329db4eeee4a35638f18d6425250482
Opcode Fuzzy Hash: 0a09ab1f1b028c56dfe56c0c8e4b93cd56207172645310167d2be75d1baad96f
Instruction Fuzzy Hash: E0615D70E00749DFDF15CFA9E5406ADBBF2BF8A301F24C259E815AB241D770A945CB50

Function 08578D74 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a078f2d1a1ed81e5426cf87b56c38333b07dd1767e5baf600b0e85b31b016e
Instruction ID: 7e67e05e5c6d6dc814e83619e68884fb0aaf42683b7b79d76450c0fd6d2a9252
Opcode Fuzzy Hash: 26a078f2d1a1ed81e5426cf87b56c38333b07dd1767e5baf600b0e85b31b016e
Instruction Fuzzy Hash: 49518F35B006158FDB15EFB9A84896EBBFBFFC5221B148569E419DB390EB309C068790

Function 085771A0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fadbffa717a7c0945cc930b30bf91e682633bc174416a79d20daa2abeacd0be8
Instruction ID: c9ec83d715a1e76a136b4d75c480f9ebc0ccd4324798d6b6310b00c564875c0c
Opcode Fuzzy Hash: fadbffa717a7c0945cc930b30bf91e682633bc174416a79d20daa2abeacd0be8
Instruction Fuzzy Hash: A3513970E00749DFDF15CFA9D5406ADBBF2BF8A301F24C65AE845AB241E770A985CB50

Function 08576383 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5431734a192ce8381e488b2d0aabd7345502cfebc3f0771534df1028efe63a
Instruction ID: c80ce280652884d87b1c7ebe7703b2591d9d6af0b363e845229c7c1c8502ccd8
Opcode Fuzzy Hash: 7a5431734a192ce8381e488b2d0aabd7345502cfebc3f0771534df1028efe63a
Instruction Fuzzy Hash: 6541AC35A00659DFCF11CFA4E884A9DBFF2FF95312F008159E805AB291D731E811CBA0

Function 08578A60 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef3a273e83993fde574ddabeaa38e62362bc1c542c5dc14a6499adfb3605ed0
Instruction ID: 1c8d39c2766869d445d0abdb7cd3943adc448d667bd7c9d3669c99866a846b74
Opcode Fuzzy Hash: 3ef3a273e83993fde574ddabeaa38e62362bc1c542c5dc14a6499adfb3605ed0
Instruction Fuzzy Hash: 4F41B0B0D15608DFDB14DFA0D19865EBBB2FF80301F14C1AAC4259F361D7359A46CB8A

Function 085788D6 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9eae9e5d6c5701abe13cde551e3d643979da3cdfcb0dbf3c5fd184d6fdbbc5
Instruction ID: 6c1333054b0a533265b9b02c667ef5886ddde4218777b64b9be84e1f6497d28b
Opcode Fuzzy Hash: 0c9eae9e5d6c5701abe13cde551e3d643979da3cdfcb0dbf3c5fd184d6fdbbc5
Instruction Fuzzy Hash: 1F31E7217183808FE7015774B8193697FF2AB86222F0588FBE456CB7D6CD288C46C76A

Function 08574FD0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5feb6d02a400afef79fb7efb14e1cd552da70bdb14c32ed000565dbb33794aee
Instruction ID: 0fd2e0257d3b4ec6a4203f83414a6e369410e571f35fe21ec3f0242f57fa139b
Opcode Fuzzy Hash: 5feb6d02a400afef79fb7efb14e1cd552da70bdb14c32ed000565dbb33794aee
Instruction Fuzzy Hash: 0F31B470714310CFDB269B25E89467D77A5FB81702B2888AEE015CB292FB66CC8187D1

Function 085714A8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8080eec88d290259557b18dd841ecb580e1dffb53bc71d25f1b976f7f2ad2a2
Instruction ID: f88e60c8dfae6d8156d10e35dfecd9ffd800ca3869466aceabb3f920af6dba86
Opcode Fuzzy Hash: c8080eec88d290259557b18dd841ecb580e1dffb53bc71d25f1b976f7f2ad2a2
Instruction Fuzzy Hash: C931823560464AAFCF059F64F885AAE3BB6FB89306F408058F91687354CF34C962CF94

Function 0857B834 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb2cd70dfe6130f4913f7c6aa039735c11e6c44c97ee126b0055b2b8e303a99
Instruction ID: bc9f3132ec1f79cce1a492f20f25ce4720dc4ca134f74bc0dd8f7d6483b7e287
Opcode Fuzzy Hash: cdb2cd70dfe6130f4913f7c6aa039735c11e6c44c97ee126b0055b2b8e303a99
Instruction Fuzzy Hash: E33159759002099FDB14DFA9D844ADEBFF9FB48320F14846AE808E7310D775A905CFA5

Function 0857FE95 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62d64e9357906f9aadeae4c6de410f3dd8581f8ad56b0d18c4e3ac6dee67ebb
Instruction ID: 52091c998b832fce7ae3a08cb7358f5b6ae7a77ab810623f26686f8e1935d97a
Opcode Fuzzy Hash: e62d64e9357906f9aadeae4c6de410f3dd8581f8ad56b0d18c4e3ac6dee67ebb
Instruction Fuzzy Hash: C431A274E04209CFCB44CFE4D4849ADBBB5FF49315F20946AE919AB365CB31A946CF50

Function 0857D5A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb21c96ba0cd0931154c87cb53fc1a0360fbc2ee455314eb424e8e776a53bad
Instruction ID: 6c2011d7b895de98d4791ff626580db46dc830d74994d01c34d026ed38261782
Opcode Fuzzy Hash: 7eb21c96ba0cd0931154c87cb53fc1a0360fbc2ee455314eb424e8e776a53bad
Instruction Fuzzy Hash: 8231B0709062A9CFCB14CF69E4806BEBBF1FF85202F54C5AAD49AE7249D734D941CB21

Function 08574458 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56bc808855bcfc342a89f3971c9c3168dda1c96c6f6cba273cca1b64e695fdd
Instruction ID: 00eb5f55817f0e9679892331ebadb366d33b7d10cc90392d726632f70a95b703
Opcode Fuzzy Hash: b56bc808855bcfc342a89f3971c9c3168dda1c96c6f6cba273cca1b64e695fdd
Instruction Fuzzy Hash: 6A21C2353002108BEB24273AE85463E769BBFC5607F14C07DD506CB394EE29CC839759

Function 08574448 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4be8111790f5e5d0aec3f67f8481e35fb8921c38f2a0a42d3cb061a276b53d
Instruction ID: c58fed8b999d047fecce252ef10892c7ee3d466660fae2a1a9924404009187c7
Opcode Fuzzy Hash: 9e4be8111790f5e5d0aec3f67f8481e35fb8921c38f2a0a42d3cb061a276b53d
Instruction Fuzzy Hash: F421CF353103108BDB24273EE85463D7A9BBFC5617B14C47ED506CB394EE28C843AB89

Function 08578918 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c983338216753160c48d8ed8afc808a4d640321410b99ebb67b4217c0d6a5c3c
Instruction ID: b15a734c0c94a1c33d95e914f9f5616805201375e16b9e2c23fba0833a7c3bdc
Opcode Fuzzy Hash: c983338216753160c48d8ed8afc808a4d640321410b99ebb67b4217c0d6a5c3c
Instruction Fuzzy Hash: 2421D3317143008FE7049BB8B91D72E7AE6BB85222F1089BAE517C77C5DE358C42C75A

Function 08577BE8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728235c0b5bdb6daa9119f0ea91dcb6758ee05842d79d5f6d5803080a6eb30b8
Instruction ID: 57924dc88937c4951b40df6436eae66a0cbce351eb3686e007bbd99ab3469920
Opcode Fuzzy Hash: 728235c0b5bdb6daa9119f0ea91dcb6758ee05842d79d5f6d5803080a6eb30b8
Instruction Fuzzy Hash: F9317171A006158FDB04DF6CE8849AEBBB6FF8D311B15C269E4169B3A1CB34DC52CB94

Function 0857D240 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab84a6769106db391b3d570fdb846bca6dc6ad694d69cdb9e71c5dfed00b4f6
Instruction ID: a01cff7bc55ef06e95aaab24bd4634359eccf09603113bed163bc750168eff98
Opcode Fuzzy Hash: 1ab84a6769106db391b3d570fdb846bca6dc6ad694d69cdb9e71c5dfed00b4f6
Instruction Fuzzy Hash: A231C130A09744CBDB208FA9E84067EB7B0FF45612F04C97BE956C7A89C33AD846C661

Function 0269D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324370246.000000000269D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0269D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_269d000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350b60ee03a3f1d05e50dc6515e7d23e298bb8bf0efdab52cb14bb624811c48b
Instruction ID: 3df39b065ed2c5294aa93dfec2fac1181b88e9133b9d8b4eaa51fc6f5c51b2f1
Opcode Fuzzy Hash: 350b60ee03a3f1d05e50dc6515e7d23e298bb8bf0efdab52cb14bb624811c48b
Instruction Fuzzy Hash: BD21FFB2500240EFDF19EF14D9C0B26BB69FB88328F20C579E8090B256C736D456CBA2

Function 0269D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324370246.000000000269D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0269D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_269d000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50885c1d2ee9f8dfc96e165f17afd5d7f92ffea5a9a99b1f62de5c44e23e4077
Instruction ID: b7d20d80568915cfd917e705496430e888bc29a1f183ea6b7f0b48fdc9660669
Opcode Fuzzy Hash: 50885c1d2ee9f8dfc96e165f17afd5d7f92ffea5a9a99b1f62de5c44e23e4077
Instruction Fuzzy Hash: AD210371500204DFDF18EF14D9C0B2ABB69FB89724F20C579E90A0F256C73AE456CAA2

Function 085727D8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00a8b4c96784ae704a28a11eab849bc6bc5812cd548ec5269b1a7e9fc4508c9
Instruction ID: 4d97cf6ab8423c1226196a2ce8cd2eefd2b76a2ca02fcdb9fc79c5342340a4d2
Opcode Fuzzy Hash: d00a8b4c96784ae704a28a11eab849bc6bc5812cd548ec5269b1a7e9fc4508c9
Instruction Fuzzy Hash: 2521F3307007119BE7259A69E49892E7796BF89752B1480ACE81BDB394CF21DC428B80

Function 026AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324430363.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26ad000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f2d79c7ccca5b25a88a224257b3d6aafedfd507feebcefa1e4d147c088f1f6
Instruction ID: fbc797cafa5820b002f4aafbe66827096691ac3f83ddd390d0b2ebaf508c3c34
Opcode Fuzzy Hash: d8f2d79c7ccca5b25a88a224257b3d6aafedfd507feebcefa1e4d147c088f1f6
Instruction Fuzzy Hash: C021F271604384DFDB18DF24D9D1B16BBA5EB88314F20C56DD84A4BB96C33AD847CE62

Function 026AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324430363.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26ad000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1edf08942fcea5f47fe177381604cb39d6c9353198cda41222419690f17993
Instruction ID: 7cc8d2048af104872d56805775e3ca069a9ceca0c1c99b390bea8cf127b753bd
Opcode Fuzzy Hash: 3e1edf08942fcea5f47fe177381604cb39d6c9353198cda41222419690f17993
Instruction Fuzzy Hash: 2821D071504204AFDB15DF50D9D0B26BBA5FB88314F20C5ADEA0A4BB92C33AD846CE61

Function 085798C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b2fda81f51ab8bb992a51ccca5c0847db08845ad3b3c6d110494c03b0bc500
Instruction ID: 9d6bc68c1be556d29637ffa22a46bf26c6c510adb793ba9dff053b6d7b0f37ea
Opcode Fuzzy Hash: 35b2fda81f51ab8bb992a51ccca5c0847db08845ad3b3c6d110494c03b0bc500
Instruction Fuzzy Hash: 4D213A30B04304CFE7149A7DA844B2E3AB7FBC8211B10857ED50AE7385DF388C0687A6

Function 08571498 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653f63fd3abc70ecee8b408d800830093cf5282f2e65b78ebdd54a94353d5e81
Instruction ID: d1ae8d69a905c245984c137afba31b71149e8afad4c5aeea59327c76acecf15a
Opcode Fuzzy Hash: 653f63fd3abc70ecee8b408d800830093cf5282f2e65b78ebdd54a94353d5e81
Instruction Fuzzy Hash: E02105356446499FCB049F64F485B6E3BA6FB86316F4480A8F8068B384CB34CD92CF94

Function 085798B1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23fe19c3704cceb7cb16d815fc044f6d2cd5d0ad097a9648302888371366e378
Instruction ID: b47dab4f83be59d78b7aaa5decebb4a0ec304dff89a18ed1793819cb2a2118a0
Opcode Fuzzy Hash: 23fe19c3704cceb7cb16d815fc044f6d2cd5d0ad097a9648302888371366e378
Instruction Fuzzy Hash: 6911E730B04300DFE7109A79AC44A6A7FB7FBC9212F10857ED506E7285DB3889058766

Function 0857A4C6 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06b5e96c185990c55bb46859d2620c28cef326d3c6863ff03a062a477306b3f
Instruction ID: 1810828a9017539ad012710d47f8e1a9ae296e9c2c74498614181341b67dc78a
Opcode Fuzzy Hash: c06b5e96c185990c55bb46859d2620c28cef326d3c6863ff03a062a477306b3f
Instruction Fuzzy Hash: 0C31D1B0D01258DFDB21DFA9D584BCEBBF1BB48311F24841AE404BB250C7B55845CF61

Function 0857D3D0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f480b2b8e6d06451474ea3ef1a00415b746f2c13113d0d2655af96dbd59275
Instruction ID: 16db59bb165941d7109b2d9e6ab9422eee453fa57fc694fa6bb5a8ffe34fa6f1
Opcode Fuzzy Hash: 99f480b2b8e6d06451474ea3ef1a00415b746f2c13113d0d2655af96dbd59275
Instruction Fuzzy Hash: 0C212170A09259CBD7548FADE8802BAF7B1FF45302F40863BE516E7289D370A845C792

Function 08575839 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3dfd5585e2b02dd5b1a78253f376aa2b63d539a94cb21a735f99a69d2b71115
Instruction ID: 0b7b6e81177d4c66957af0b8d84955bb2c1dfbe1df1a778b94b4705a5411df22
Opcode Fuzzy Hash: e3dfd5585e2b02dd5b1a78253f376aa2b63d539a94cb21a735f99a69d2b71115
Instruction Fuzzy Hash: 4C217A74E01249DFEF04DFA5E544AEEBFB6BF89301F2480A9E411A6250EB309942DF60

Function 0857D3C2 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91289bdfff1d77303f8ffe1ceb972cbf8fa0645ade48898b7e08f8ae69e03342
Instruction ID: f034cfe0fa8598079700cd55286da856fa5cb7099038cf812d5660793fa425d7
Opcode Fuzzy Hash: 91289bdfff1d77303f8ffe1ceb972cbf8fa0645ade48898b7e08f8ae69e03342
Instruction Fuzzy Hash: 3C21DCB5E05615CBDB508FA8E8C03BEF3B1FF40202F04863AE615EA28AD374A955C795

Function 0857A4D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74729c4f8be190083cb80ae0cfd05aeade00fae92e4b2fc6af36957e93a04ba5
Instruction ID: 4d3a147abf1b72bd7999f2d3217a921e89bc72c68281dc6ecc56a91cd1a8b13b
Opcode Fuzzy Hash: 74729c4f8be190083cb80ae0cfd05aeade00fae92e4b2fc6af36957e93a04ba5
Instruction Fuzzy Hash: 3721D0B0D01258DFEB21DF9AD588B8EBFF6BB48315F24841AE404BB250C7B95845CFA5

Function 026AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324430363.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26ad000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2101055edf99aabed077b802af17533c0c2f55abe3324edd3bae27a8c32d09ee
Instruction ID: 3a014c4cd25483de80f71d84164e694d2e8da8e7eb2ba82f438e4dd7d6f49856
Opcode Fuzzy Hash: 2101055edf99aabed077b802af17533c0c2f55abe3324edd3bae27a8c32d09ee
Instruction Fuzzy Hash: 572150755083C09FCB12CF14D994B11BF71EB46314F28C5DAD8498F6A7C33A9856CB62

Function 08578D64 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963001a3f2cd0512f225ead463f6a9d8471c3f8de6fcff4c298b27a64b64b32b
Instruction ID: 489c3bf333fbd41231b1768aa813700c41ddad55d16f3c9eb1eec3eaa2478403
Opcode Fuzzy Hash: 963001a3f2cd0512f225ead463f6a9d8471c3f8de6fcff4c298b27a64b64b32b
Instruction Fuzzy Hash: D3116A71B002198BCF25EBB8A810ABEB7F6BB89311B108079C505F7244EB368D02CB95

Function 085727C8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910894ac745fcb0e71a0c3d728ca58ab900bbc91eeb70cffaa7c9a5e4276c9f7
Instruction ID: d6123f6d379acddcb2d8d29a80315aedec49a79491153ab96c2c03a8c1eccc3a
Opcode Fuzzy Hash: 910894ac745fcb0e71a0c3d728ca58ab900bbc91eeb70cffaa7c9a5e4276c9f7
Instruction Fuzzy Hash: 1E1106357007118FE7259E69F498A2D77A6FF85752B1985BCE807DB390CF21DC028B80

Function 0857A310 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148e20e5cf9b90d1fcb0e3c5da104385edb77cc8c05c9c0f54c3afca42a5b1f8
Instruction ID: 1e5a8cb49feeebf343fc63982cfa992599c92f28ef900c16e0444fcd632a7f11
Opcode Fuzzy Hash: 148e20e5cf9b90d1fcb0e3c5da104385edb77cc8c05c9c0f54c3afca42a5b1f8
Instruction Fuzzy Hash: A111C675A006159BDB11DE799844ABFB7FBFBC4261B14852DE815D3340EF309D068B64

Function 085778D8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba0e517f5714b03305c2c7bdcf13e8094b50760d1a4b6d38b6c3997ed3e623c
Instruction ID: 8471a45f4f6b322fb9197735e1b93e664fb495416c2705344053bb2870dbb088
Opcode Fuzzy Hash: 1ba0e517f5714b03305c2c7bdcf13e8094b50760d1a4b6d38b6c3997ed3e623c
Instruction Fuzzy Hash: 1A116D35B10204EBDB14DF65E845A9EBBBAFF8C311F108069F916A7390DA31AC51CBA0

Function 0857D4C8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44df4f30263bcdc10e5856553e37680c6e8b2c5837f1718ae87b646c1f752a3a
Instruction ID: 8acfd4e6a496f89238984a0bab13bac7ba1e6296cad35e3805276232f351ba85
Opcode Fuzzy Hash: 44df4f30263bcdc10e5856553e37680c6e8b2c5837f1718ae87b646c1f752a3a
Instruction Fuzzy Hash: 7C110230B42240DFE7244A25E804B2977A3FFC5706F55C46EE006DF29AD9A5D8428791

Function 0269D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324370246.000000000269D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0269D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_269d000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction ID: 909bdf03d7f197f59818441a0900e7b7f52f006937530d8ce7ab2f38195d697d
Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction Fuzzy Hash: 2611B176504280DFCF15DF10D5C4B16BF71FB84328F24C6A9D8494B656C336D456CBA1

Function 0269D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324370246.000000000269D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0269D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_269d000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction ID: bb91e14bc4b0773377af14b58fbaa01e05807caf7c667a2ee29f79ec04841f17
Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction Fuzzy Hash: E311DF72404240DFCF15DF00D5C0B16BF71FB85724F24C6A9D8090B656C33AE456CBA1

Function 0857B844 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72d0c6407f49e4fc28c70f113d6c281dda1fed6bd7441e1645c3995778cb3fc
Instruction ID: cd83ddac736f66a0c846008461d854122da8ac1dd5ae0fc77caa7082e9e5f788
Opcode Fuzzy Hash: f72d0c6407f49e4fc28c70f113d6c281dda1fed6bd7441e1645c3995778cb3fc
Instruction Fuzzy Hash: 1921D6B590034D9FDB10CF9AD844BDEBBF5FB48320F10846AE919A7210D379A954CFA5

Function 026AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324430363.00000000026AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26ad000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction ID: ece1643325d2abc2702e36194c89a098434df7a62b558dfff49e93f0d9112d8a
Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction Fuzzy Hash: F4118B75504280DFCB15CF50D5D4B15BBA1FB84318F24C6AAD9494BBA6C33AD84ACF61

Function 0857D4D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2518c4a983a88204d4bc366c2ce998bd78c58585bebc304cfcd0a566d09ec3ca
Instruction ID: cbac71e001a72348b9faa85c6697f7b0196f1a49a1f4725a0f30d870387987d2
Opcode Fuzzy Hash: 2518c4a983a88204d4bc366c2ce998bd78c58585bebc304cfcd0a566d09ec3ca
Instruction Fuzzy Hash: C7012630B41240DFE7244A16E804B29B7A3FFC5707F11C42EE006DF299C9B5D8018791

Function 0857D3EF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f466bf6e63f100faf231a8195ebc2b057f6c7955e68c4b45c5005dd4eae501e
Instruction ID: de427599be86721e48b0838e6832b457a31a316b8e6cf4c4c82ae0b6e6564c44
Opcode Fuzzy Hash: 3f466bf6e63f100faf231a8195ebc2b057f6c7955e68c4b45c5005dd4eae501e
Instruction Fuzzy Hash: BB019AB1A05525CBEB548FACF4803B9F2B1FF44303F408626E626EA2C9D3B4A951C795

Function 08578C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ce573b50cd2d2a53c563eb5fb926762399389ffcb6b65c43199832fc048e50
Instruction ID: 4337dd2386e192a6342a02a5be64e04c041ba5ece59a7c7f25550f61786f4a52
Opcode Fuzzy Hash: c5ce573b50cd2d2a53c563eb5fb926762399389ffcb6b65c43199832fc048e50
Instruction Fuzzy Hash: 1A01D6A170E264CFD3108A69EC8462ABFACFB45722F09CA77E515DE281D224C8418359

Function 08571F70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b32c9c3075250f7cc760bc86c4a36a24a89a6d0213c3932c64f135a3c9afd85
Instruction ID: 755f12f3d0976627d70690f18fe7df77e44fecffb688f30baaa9ff41cac31abb
Opcode Fuzzy Hash: 7b32c9c3075250f7cc760bc86c4a36a24a89a6d0213c3932c64f135a3c9afd85
Instruction Fuzzy Hash: 88F0FF33A005096BCB019E59FC02BAF7BAAEBC8751F14C029F914D6280CB76C9129BA0

Function 08571F80 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63bbecbe94f607f4482b0d8c6267d41db72f2d3c589c66ccd685c496a134762
Instruction ID: c551c18831c62684051f798bda68f19e25942ba832fd1d68be1a6de4aee79207
Opcode Fuzzy Hash: e63bbecbe94f607f4482b0d8c6267d41db72f2d3c589c66ccd685c496a134762
Instruction Fuzzy Hash: 8A01D132B001146B8F059E59B810AAF7BABEBC9751B14C069F905D7380CF79CC129BA4

Function 08576221 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376d42bccf2cd12bf345b7b7a4d0dfbadc6e23970f43f2804a7c64f50f9e7c88
Instruction ID: 3e197ff6b90a24613f104a9c45f3b74eb8972884e8333a2f38d9987ce88e1857
Opcode Fuzzy Hash: 376d42bccf2cd12bf345b7b7a4d0dfbadc6e23970f43f2804a7c64f50f9e7c88
Instruction Fuzzy Hash: 09011331A002199FCF08CF98D9448DEBBF9FF88311B00812AE905AB254DB71A919CBA4

Function 08578469 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddcc45a623dd115c8816d647cc77f2f4ecb333a6647a187d2eccc8751e115751
Instruction ID: eca1891c447dbcff5e73f8476aed7177f8ece042332a319de1e0aadcd5c14438
Opcode Fuzzy Hash: ddcc45a623dd115c8816d647cc77f2f4ecb333a6647a187d2eccc8751e115751
Instruction Fuzzy Hash: DA111730D0060DEFEB44EFA4C99169EBBB6FF88300F5085AAD415EB355EB355A068F85

Function 0269D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324370246.000000000269D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0269D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_269d000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace9b63c327bac7f2b82a68bb9986e8d4040f442dca17eafb394e8b2e048c587
Instruction ID: 317c5eca07c2b8e2973df7de61617050ac1e229a49300fb5712a1347e9a6dd5a
Opcode Fuzzy Hash: ace9b63c327bac7f2b82a68bb9986e8d4040f442dca17eafb394e8b2e048c587
Instruction Fuzzy Hash: 0D01A771404344AEEF246A25CD84B66BBECDF41224F18852AED094E386DB7A9441CA76

Function 085799C8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3932b13303b2623d6903631de958b6a8297ed51a09cbef007bc764cd3f5158fb
Instruction ID: 27c667a6dc3341145e3bf23a603123731378f2a369458d8bbe55e45d7e13d844
Opcode Fuzzy Hash: 3932b13303b2623d6903631de958b6a8297ed51a09cbef007bc764cd3f5158fb
Instruction Fuzzy Hash: 3501E974E0121ADFCB14DFA9D5809AEBBF2FF48301F118966E416EB341E634AD81CB94

Function 0857F408 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb67cf5b84ee6ac1af82f1af3d984c262e44be2eedf36ccd063351fb6ab3868
Instruction ID: 033b317a6334e50d5af49399935587012ae19a181abda280b18fe38fe42ef6ff
Opcode Fuzzy Hash: dfb67cf5b84ee6ac1af82f1af3d984c262e44be2eedf36ccd063351fb6ab3868
Instruction Fuzzy Hash: DAF0903605F3E09FC72A8BA4B9586B53FB46B43112F0996CFD089AB463C6A14419D362

Function 08576F48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c648dd131bce353739a3a11c065d067d76ee04694f9ca9acd35f821319d2e9
Instruction ID: 5e007a51eb3ca6f1de414678c1b92cc38609b7dd82e1c72248e3ce5eb41f78f2
Opcode Fuzzy Hash: f5c648dd131bce353739a3a11c065d067d76ee04694f9ca9acd35f821319d2e9
Instruction Fuzzy Hash: 16F09076B046155FCB24CE19E444ABE77EAFBD8222F15C47AE015C7350D935D8418750

Function 08578478 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90887d249aaec11b4a584fb46152c400d64528506573b06fb1719c9e1add5c6a
Instruction ID: 6c04b28d85706c7fd297b9fbc4853339905353673c6c0aacd85c7ec095f6292a
Opcode Fuzzy Hash: 90887d249aaec11b4a584fb46152c400d64528506573b06fb1719c9e1add5c6a
Instruction Fuzzy Hash: 1D01E570D0030DEFEB44EFA4C591A9EBBB6FF48300F5085AAD115AB354EB355A019F89

Function 0857A884 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c51e045839f6974a7f28d271daa15b38fc00b2efde1ef413c9c19a7bf2045dc1
Instruction ID: 9018a5e515058810feda28f46a5a0376d06fd5d3e447cfb75bff20abf7fed82b
Opcode Fuzzy Hash: c51e045839f6974a7f28d271daa15b38fc00b2efde1ef413c9c19a7bf2045dc1
Instruction Fuzzy Hash: C1012171C04269DFEB15CF69E4447EE7BF1BF44321F24C65AE424AA291D3744985CF90

Function 0857FE5E Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb77e672be05f8b19078eedca8efc911ed765e102b26cc32fc109b9fb492fa7
Instruction ID: aa4f833f14ba9962ab2684d15ca6f1e7aadbbb3b31d735fafbe0d34bb977e0f6
Opcode Fuzzy Hash: 8fb77e672be05f8b19078eedca8efc911ed765e102b26cc32fc109b9fb492fa7
Instruction Fuzzy Hash: 2401E838A08348CFCB40CFA4D844AADBFB6FF4A301F109459D809AB755DB309801CF00

Function 0269D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324370246.000000000269D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0269D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_269d000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8e425cae2a1c47f92c2e0f6b85f10d2b0e568a3ca44cc2a4928def467e2728
Instruction ID: ca2e84c28c0457e2426080d31f985dd16cee249763121bb62c117d6e42c715e2
Opcode Fuzzy Hash: 3f8e425cae2a1c47f92c2e0f6b85f10d2b0e568a3ca44cc2a4928def467e2728
Instruction Fuzzy Hash: C9F06272404344AEEB209A16DD84B62FFACEF41634F18C55AED084F386D779A844CAB5

Function 0857A890 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0589bccd0a6d3bf83a2dab47ad44f227880449aae0047325e0e1b3114a153c3d
Instruction ID: 6d0fc66356f4736577e11fb53c5fa9f71e482ccc334942f39ace5c67544fd993
Opcode Fuzzy Hash: 0589bccd0a6d3bf83a2dab47ad44f227880449aae0047325e0e1b3114a153c3d
Instruction Fuzzy Hash: 6D01BB70D00229DFEB15DF6AE4047AEBAF5BF48351F14C629E424AA290D7744A85CFD0

Function 0857A92A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01b37c13ddd4b3089dc28874fd5a86d04f0577ef2917f8191f247e67bc35c23
Instruction ID: a09497a109e97f8c705acbc70db5e238c668e52154206ebc10a7ad2a19992df6
Opcode Fuzzy Hash: a01b37c13ddd4b3089dc28874fd5a86d04f0577ef2917f8191f247e67bc35c23
Instruction Fuzzy Hash: A1F030727046186F97049A6EDC84D6BB7EEFBCC671355817AF50DD7310D9319C0186A4

Function 0857A930 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40628cf1faff80e96dc46add6f95968292c813ca4af143bfdbdece998870205
Instruction ID: d66a366197d3b13d2f0624215f85b8ec29c01d230e6033aaaf64b17bc63e3310
Opcode Fuzzy Hash: d40628cf1faff80e96dc46add6f95968292c813ca4af143bfdbdece998870205
Instruction Fuzzy Hash: 4DE039727042286FA3049A6AE884D6BBBEEEBCC670351807AF508C7310D931AC0086A4

Function 0857BC78 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52940cc28c7f70f7817f065357ebae2ff012c570789942e2f71b311b4e76a881
Instruction ID: 7f47a580c05cc82869f45f32b37054f20743584593b2b61513647d37469c5936
Opcode Fuzzy Hash: 52940cc28c7f70f7817f065357ebae2ff012c570789942e2f71b311b4e76a881
Instruction Fuzzy Hash: CBF02771B093849FDB06CBB49C198AE3FF89F8210071884EBE905C7342F9349D06D322

Function 0857BCD8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ac67253de7642e114fb8605926598a021df97a3f1674846e8890e221400e8c
Instruction ID: 40ecb955c9c015b35f6c2bd0c757c65131390bbb1add643142eb0797db90fa86
Opcode Fuzzy Hash: 64ac67253de7642e114fb8605926598a021df97a3f1674846e8890e221400e8c
Instruction Fuzzy Hash: B2F082B2A041096FDF46DF94E84199A7FBAAF44214B19C1EBE404E7361F7319A108755

Function 0857FF85 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cdf48848ac95351ab3b19fbce5852dd09cab968ee037e39736a1f13244f369
Instruction ID: 02dca5497f93c4f4e50ef7a14130ca5d7c5e1e54e2142c2b7b5ec8f98e40a319
Opcode Fuzzy Hash: f3cdf48848ac95351ab3b19fbce5852dd09cab968ee037e39736a1f13244f369
Instruction Fuzzy Hash: 4EE0B636E08108CE8F00DA85E8808DDFB75FB85316F408056D92867211DA3054168FA2

Function 08572C11 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ae5325d44d93063a91a8da08eee8ff75fa81c582fdf0f2223e825ee6b00c9c
Instruction ID: 5a2d8fc990df59bf7ccd43256f8bae90a43462117f14e725bf664b8d3ffb2255
Opcode Fuzzy Hash: a0ae5325d44d93063a91a8da08eee8ff75fa81c582fdf0f2223e825ee6b00c9c
Instruction Fuzzy Hash: C1D0A93280470507EA45FB30F843B0C33BEFBC0200F5081A0F8080E62AEF6C988A4AAC

Function 0857FEB6 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4542b79c7c5635b00a11a4dec8e3f850721e17074ab3db230dc8beb84569fc10
Instruction ID: 207df381d5f652c602d96359719836751eab102c513e3eca906d397e887368c3
Opcode Fuzzy Hash: 4542b79c7c5635b00a11a4dec8e3f850721e17074ab3db230dc8beb84569fc10
Instruction Fuzzy Hash: A4E0B638A08244CFC744CFA0D4448ACFB75FF4A305B11D99AE8066B326CB309842CF00

Function 0857F388 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e4ddf57040342210b277ccc04962a39bc6b0da3a996666b0ddf490fccf38a0
Instruction ID: fc59c17f32c0e912fd9e9fb383ccd04d5d0ecc63aa5d9c19795425e34250a507
Opcode Fuzzy Hash: d7e4ddf57040342210b277ccc04962a39bc6b0da3a996666b0ddf490fccf38a0
Instruction Fuzzy Hash: A4D05E32409390DFE7165B64AD2C6943F61EB12202F05518BE84CE2863C7640A58D772

Function 0857F65E Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fec8f70e153701f37820b9c186f2447f2d40d1e951d581d27d4b97c6dce004
Instruction ID: 3a288d1d468129e94d2aa5dd0b819e6a4a569fc98666467f2deb5ecb7378fb8c
Opcode Fuzzy Hash: 00fec8f70e153701f37820b9c186f2447f2d40d1e951d581d27d4b97c6dce004
Instruction Fuzzy Hash: F3D05238A43208CFEB20DF14EC50AD8BB79FF88221F0052E2E20CA3210EA301A85CE00

Function 08572C20 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809cdedc6163be40f144c11f448230a3978775c7ea98ca34cebe857f13b805b3
Instruction ID: faab734720a6b1c1dad129ec7057df0f049e5316ca2a000192a4761124329ebc
Opcode Fuzzy Hash: 809cdedc6163be40f144c11f448230a3978775c7ea98ca34cebe857f13b805b3
Instruction Fuzzy Hash: 0FC0123591070547D945FF61F845D1933BEAAC410075045A0B0050E62DEF7858454A99

Function 0857F398 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086b933863421f3e847a6f65d2f750a2e7ae4c7d8b3d46f8c61822a4c5012d2d
Instruction ID: c3c8341fffa0f6a4017b077a153cec9c7945f5ca39424cbd01ee81575b3295b0
Opcode Fuzzy Hash: 086b933863421f3e847a6f65d2f750a2e7ae4c7d8b3d46f8c61822a4c5012d2d
Instruction Fuzzy Hash: 45C08C31001304CFD22867A4BA0C3243AA8E701203F40601AE00D62422CBA04418EA36

Function 085759C0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7ef47ec6e405b246add5fc5bc9da8fb5ae1da5ee94f62b1d6bd2b939ff6589
Instruction ID: 647e1207894b063b7c378ff4cc232d95ba4b18353fa4cedb781f615f3f6d90df
Opcode Fuzzy Hash: 7a7ef47ec6e405b246add5fc5bc9da8fb5ae1da5ee94f62b1d6bd2b939ff6589
Instruction Fuzzy Hash: 7FC012356DA0419BE71207F0DC663C077B0E306200FCC20B2CCD4B9715D31C84079B68

Function 0857BCB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56907aaf48a1093f373aabdd909c6c9b46f98c7fbf9d018d0f1030b94bd78dd
Instruction ID: 66d651404a2d4744c33feee3ff6d3e51967ee2bcf3082b15c1c71f2e413d0379
Opcode Fuzzy Hash: c56907aaf48a1093f373aabdd909c6c9b46f98c7fbf9d018d0f1030b94bd78dd
Instruction Fuzzy Hash: 86C09B9615F3C10FF31757745C215962F3059B310938D52D3C3D457163D5185059E73B

Non-executed Functions

Function 06C7CC60 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357a4fb6a1e72f284e245e10cb65350435affcd609ae8a01aa3404ef61f95b1d
Instruction ID: ef4fa3921da78d1bcac57363cd78a29f5f1605cf6bfcb10beefe8bb6396e1289
Opcode Fuzzy Hash: 357a4fb6a1e72f284e245e10cb65350435affcd609ae8a01aa3404ef61f95b1d
Instruction Fuzzy Hash: 2FD17C31B006098FDBA5EB75C460B6EB7FAAF89700F14446ED15ADB390DB35E902CB51

Function 06C73E08 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e686a2ba35fc8e03e0edf2d0866cd7f243e6e7c3732da1cd9c9b9c0dcf68e8aa
Instruction ID: 1539668c49742cc0dec609071425446421e49cd17e95f1551f4d7b4c609b1de1
Opcode Fuzzy Hash: e686a2ba35fc8e03e0edf2d0866cd7f243e6e7c3732da1cd9c9b9c0dcf68e8aa
Instruction Fuzzy Hash: 15E11B74E102598FDB14DFA9C580AAEFBF2FF89304F248169E415AB35AD7319941CFA0

Function 06C74240 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d3ca5af152111000b0046e8caddcdcc2e962d4cf4a58c984a0e9bba1ca214f
Instruction ID: a5fddf7a0aea99cb442c9b69c32635d7524c2eb9f7152ab0177eb31a86ea3302
Opcode Fuzzy Hash: 79d3ca5af152111000b0046e8caddcdcc2e962d4cf4a58c984a0e9bba1ca214f
Instruction Fuzzy Hash: D1E10974E102598FDB54DFA9C580AAEFBF2FF89304F248169E415AB356D730A941CFA0

Function 06C75A48 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb77ff4592fad4b56b11568c5205e7416cc37daa3bd5335086703e194a061c45
Instruction ID: 2b04513b4fc18467703cd28760284c8508f8ae4a12d66b59dffa257f755bafb4
Opcode Fuzzy Hash: fb77ff4592fad4b56b11568c5205e7416cc37daa3bd5335086703e194a061c45
Instruction Fuzzy Hash: A0E10C74E002598FDB14DFA9C584AAEFBF2FF89304F648169E415AB355DB30A941CFA0

Function 06C76320 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca1a92cafcc2b3044a1a332081bf1ddd4b78e50c88a8324b36eb346c58152dc
Instruction ID: 11fde64f5f4561ffc1caed55e46310ee85257aee1e9aeaf392c1423a23c33af1
Opcode Fuzzy Hash: cca1a92cafcc2b3044a1a332081bf1ddd4b78e50c88a8324b36eb346c58152dc
Instruction Fuzzy Hash: 91E12A74E006598FDB54DFA9C5809AEFBF2FF89304F248169E415AB35AD730A941CFA0

Function 06C739D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3302d1c56ebba6aacd24e965ac8ef864e2ce8b418c94f44cafed25d7c2d675
Instruction ID: 8835e3c4dd7345cf871becdaa57f49c17e0a483a997e3cbd01eaad0ff55bb5b4
Opcode Fuzzy Hash: ee3302d1c56ebba6aacd24e965ac8ef864e2ce8b418c94f44cafed25d7c2d675
Instruction Fuzzy Hash: 0FE13C74E102598FDB14DF99C580AAEFBF2FF89300F248169E419AB359D730A941DFA0

Function 0857AE97 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee90a3d5ca1f5436e17dee1eb3810ff48a349c116654c21e8ccb2902f49dea3
Instruction ID: 054be17d33c114cec7a6564749e7d4bfdbe2faef48ddb187dd38098ad9134537
Opcode Fuzzy Hash: 4ee90a3d5ca1f5436e17dee1eb3810ff48a349c116654c21e8ccb2902f49dea3
Instruction Fuzzy Hash: 8ED1F435D10A5ACACB10EF64D950AD9B7B1FF95300F20979AD1093B611FB70AAC9CF91

Function 0857AEA8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1330869784.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47c7b568328c978433aa71075284e649920988104cbce98c99c1c07832d365d
Instruction ID: 7ef30092b810350c11dc4712b7316d1315a89003dfde96b87524cc2d4cc11a6f
Opcode Fuzzy Hash: e47c7b568328c978433aa71075284e649920988104cbce98c99c1c07832d365d
Instruction Fuzzy Hash: A2D1F435D10A5ACACB10EF64D950AD9B7B1FF95300F20979AD1093B611FB706AC9CF91

Function 026FD304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1324648272.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26f0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d95d2379910c6a6116df0fc8f77f21e8dc0f5f8701821e724f435182d552334
Instruction ID: cd984e329be86dd55620456391daa7d0708723e40360e686864239e0be2d9e1c
Opcode Fuzzy Hash: 1d95d2379910c6a6116df0fc8f77f21e8dc0f5f8701821e724f435182d552334
Instruction Fuzzy Hash: 3CA18E36E002098FCF15DFB4D89099EB7B2FF85304B1541AAEA01AB7A5DB75E906CF40

Function 06C7630F Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1328099322.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c70000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc27812677ac169cd5b069f6b6419caac6ed826eba6f57b60d317eee2f18a81e
Instruction ID: 73e2f60fdce23f3724dff8f9a2ad755bb7314f6479915881cce37649b656a229
Opcode Fuzzy Hash: cc27812677ac169cd5b069f6b6419caac6ed826eba6f57b60d317eee2f18a81e
Instruction Fuzzy Hash: 71513E74E006198FDB14DFAAC5905AEFBF2FF89304F248169D418AB356D7309942CFA1

Analysis Process: Cotizaci#U00f3n P13000996 pdf.exePID: 7836, Parent PID: 7400COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	11.1%
Total number of Nodes:	27
Total number of Limit Nodes:	4

Executed Functions

Function 014D70B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 014D712F

Memory Dump Source

Source File: 00000009.00000002.2555614522.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14d0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3b278e8d06dc68260984ced65fe47443a1892c78867ae43e505ed3e1392c539a
Instruction ID: e378659c92db62523d5362ad5e5e0ec133da0ead689e98aaa4160b6c201e9cfe
Opcode Fuzzy Hash: 3b278e8d06dc68260984ced65fe47443a1892c78867ae43e505ed3e1392c539a
Instruction Fuzzy Hash: 732145B18002598FDB14CFAAD884BEEBBF4EF49210F14841AE858A3350D778A944CFA4

Function 06B3C120 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2580339994.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f60f354fcc9ab283713053d198f6d60582687fa4b2b94ace5134750b83d7514
Instruction ID: 4d920f3a2f4bdd4fd2fa1bc11eb3d1b70a63227e7a51ac104535702e798b2880
Opcode Fuzzy Hash: 9f60f354fcc9ab283713053d198f6d60582687fa4b2b94ace5134750b83d7514
Instruction Fuzzy Hash: 6D414472E143A58FCB14CFB9D80429EBFF5EF89210F1485AAD404A7281DB389844CBE0

Function 06B3C1F0 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06B3C172), ref: 06B3C25F

Memory Dump Source

Source File: 00000009.00000002.2580339994.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c6fa5cb359cf42b5fd2914ea642eaed3fca58d31df77ef0c56feb22970b9acf6
Instruction ID: f090ec8497fd29981cfbf33ebc12c2148d3a8748a45c5fd4727476f1a8cf309b
Opcode Fuzzy Hash: c6fa5cb359cf42b5fd2914ea642eaed3fca58d31df77ef0c56feb22970b9acf6
Instruction Fuzzy Hash: 202189B6D002699FDB14CFAAD9447DEFBF5EF48310F14806AD854B7241D738A9408FA1

Function 014D70B0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 014D712F

Memory Dump Source

Source File: 00000009.00000002.2555614522.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14d0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 74526fb50d807938ad54c4ca575ebee34d889ea89eec16cb00780cf43fa51b3e
Instruction ID: ca8d6fb646bae3136b4a3b10e17d5c0e7e13d858fd3969ecf3f8f00e862b461b
Opcode Fuzzy Hash: 74526fb50d807938ad54c4ca575ebee34d889ea89eec16cb00780cf43fa51b3e
Instruction Fuzzy Hash: 772175B2C00219CFCB14CFAAD484BEEBBF4EF48210F14841AE848A3351D738A944CF60

Function 014DF028 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DF0B7

Memory Dump Source

Source File: 00000009.00000002.2555614522.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14d0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d2c9cb82114f815483637a0e54b1f92f2c73a83481d88dd51f5e6282112265e2
Instruction ID: 4dee2961d8f871e140864601275b2474a49c5642b4c799992e8e495c4ecd646e
Opcode Fuzzy Hash: d2c9cb82114f815483637a0e54b1f92f2c73a83481d88dd51f5e6282112265e2
Instruction Fuzzy Hash: D321E0B5D002499FDB20CFAAD484ADEBFF4EB48310F14841AE959A7350D379A944CFA5

Function 014DF030 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DF0B7

Memory Dump Source

Source File: 00000009.00000002.2555614522.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14d0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e8bb1ba759c7633d2db7631734373747d07dd0e95a3338fec23bf834b31d5fdb
Instruction ID: d16f52f5aa4cb9d259bc2db436fd537554497a0361cedd8f7de3143ca7fd394e
Opcode Fuzzy Hash: e8bb1ba759c7633d2db7631734373747d07dd0e95a3338fec23bf834b31d5fdb
Instruction Fuzzy Hash: 3F21E2B5D002489FDB10CFAAD884ADEBBF8EB48310F14801AE918A3350D379A944CFA5

Function 014D8430 Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 014D84A8

Memory Dump Source

Source File: 00000009.00000002.2555614522.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14d0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 181e049bfc90ab083f00ae3cdc9c79470a4eeccd176796b75025f56fe3f35c74
Instruction ID: 5a67a1ab8de776525525529e4962da390c132b6444178e605127924fa678248f
Opcode Fuzzy Hash: 181e049bfc90ab083f00ae3cdc9c79470a4eeccd176796b75025f56fe3f35c74
Instruction Fuzzy Hash: AD2144B1C0065A9FDB14CF9AD845BEEFBB4EB48320F14812AD818A7340D738A905CFA5

Function 014D8438 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 014D84A8

Memory Dump Source

Source File: 00000009.00000002.2555614522.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_14d0000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8be93c50c2b3d58a78adea0bdcc3247cb74216e0795675c310285314d6386870
Instruction ID: fe5f273a59c06363596d3b77cc744febcdcd0b868a0f8e86974085cf26cb2051
Opcode Fuzzy Hash: 8be93c50c2b3d58a78adea0bdcc3247cb74216e0795675c310285314d6386870
Instruction Fuzzy Hash: 701133B1C0065A9FDB14CF9AD444BEEFBF4EF48320F14812AD818A7640D778A940CFA5

Function 06B3B918 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06B3C172), ref: 06B3C25F

Memory Dump Source

Source File: 00000009.00000002.2580339994.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a384f80f53c845ba25a34b70279ad4dd422c58da3113fa0433850b9c84f78461
Instruction ID: 97181b5c1fa8b1759a3beab520033410bf7aa738749edb75c7d8b0e2e4752f2c
Opcode Fuzzy Hash: a384f80f53c845ba25a34b70279ad4dd422c58da3113fa0433850b9c84f78461
Instruction Fuzzy Hash: 191122B2C006699FDB10CF9AC444B9EFBF4EB48220F10816AE818B7241D778A914CFA5

Function 06B3C2A4 Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06B3C172), ref: 06B3C25F

Memory Dump Source

Source File: 00000009.00000002.2580339994.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d315269e693f426406f96f160dba4007bd1ddee2d425b84386afd1c9946b73c8
Instruction ID: 6422ec3dad4f2be8527e05e1ae583e0b24371e76b7d67c8fd153d721c7f55e98
Opcode Fuzzy Hash: d315269e693f426406f96f160dba4007bd1ddee2d425b84386afd1c9946b73c8
Instruction Fuzzy Hash: B001F972C053659FEF219BE9C8053DCBFA0AF05324F058196C444BB142C33D950ACBE2

Function 0128D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2552776213.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_128d000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608ef27cd6cc1f8d5de97a46129dbacf1266c6798f18e43485b9c93ea82df6ec
Instruction ID: d35ace5f495ed86b421784bc0d2683140799db024bb6596dcd7407acb1c8eca9
Opcode Fuzzy Hash: 608ef27cd6cc1f8d5de97a46129dbacf1266c6798f18e43485b9c93ea82df6ec
Instruction Fuzzy Hash: 47212271524308DFDB15EF94D9C0F26BBA1EB84314F20C66DD90A4B2D2C37AD84BCA62

Function 0128D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2552776213.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_128d000_Cotizaci#U00f3n P13000996 pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction ID: b9448e715bf4b214b6e354f4f755d66f1c2ea761050b811d0c49830c7a0581d6
Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction Fuzzy Hash: C311BB75504288CFCB12DF54D5C0B15BFA1FB84314F28C6AAD9494B697C33AD44BCB62

Analysis Process: jHJQWf.exePID: 8012, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	215
Total number of Limit Nodes:	12

Executed Functions

Function 071B6B78 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071B6DAE

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 569266e8d7a25afc2ff360cbd838d2412acf3febeb7c02a64998000a45ccda9c
Instruction ID: bbea8b72d3e4ed2d37316c5b89c5a2860d3f52c947bbb7d36316b1336800d0bc
Opcode Fuzzy Hash: 569266e8d7a25afc2ff360cbd838d2412acf3febeb7c02a64998000a45ccda9c
Instruction Fuzzy Hash: 8C913CB1D10219CFEB25CFA9C851BEDBBB2FF48310F148569E818A7280DB759985CF91

Function 071B6B71 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071B6DAE

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dcb55ebbd725e403ba79b5d8d30072d3dc08facad7e4f7580a4ebae8e955ec11
Instruction ID: 84f425e6f8378c9c51d2d0bcf98da582fdbd1f0dcfd8bcff442b861a51ad0507
Opcode Fuzzy Hash: dcb55ebbd725e403ba79b5d8d30072d3dc08facad7e4f7580a4ebae8e955ec11
Instruction Fuzzy Hash: FD914DB1D10219CFEB25CFA9C9517EDBBB2FF48310F148569E808A7280DB759985CF91

Function 02BCAD48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BCAF9E

Memory Dump Source

Source File: 0000000B.00000002.1370333793.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bc0000_jHJQWf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dfd26175e2c9e863c86a3cc1bfd8e5e733b79701c163d3c0ee878d8ad1bb30da
Instruction ID: 4e4ea0e23de7e43551b47050f3e45d79427eb024ec33e665c43d590b17cff96a
Opcode Fuzzy Hash: dfd26175e2c9e863c86a3cc1bfd8e5e733b79701c163d3c0ee878d8ad1bb30da
Instruction Fuzzy Hash: 2E7126B0A00B098FD724DF6AD44475ABBF5FF88304F208A6ED48AD7A40DB75E845CB91

Function 02BC44E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BC59C9

Memory Dump Source

Source File: 0000000B.00000002.1370333793.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bc0000_jHJQWf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a85f0321f2e5ca48110e87bc9cb9786b09ad966be0fa8750f08cc9c7049f6bbd
Instruction ID: a9071ae0f508c1ad436d9eaeb920e957e4e16e56acc19728292850fa0dde9741
Opcode Fuzzy Hash: a85f0321f2e5ca48110e87bc9cb9786b09ad966be0fa8750f08cc9c7049f6bbd
Instruction Fuzzy Hash: 3E41B271C00719CBDB28DFAAC884B9DBBF5FF49304F60805AE419AB251D7756946CF90

Function 02BC590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02BC59C9

Memory Dump Source

Source File: 0000000B.00000002.1370333793.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bc0000_jHJQWf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3acd7107299d5e28a9d9b08afd818f7f49b863b4af6dddb6899b41834f7a4a69
Instruction ID: e87e138a1d3605eb3989d45dd32c90976b137351e1eebf55d57c7cdba8de8a0f
Opcode Fuzzy Hash: 3acd7107299d5e28a9d9b08afd818f7f49b863b4af6dddb6899b41834f7a4a69
Instruction Fuzzy Hash: 7641C170C00719CFDB28CFAAC884B9DBBB1FF49304F60805AE419AB251DB75694ACF50

Function 05314050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05314111

Memory Dump Source

Source File: 0000000B.00000002.1381420132.0000000005310000.00000040.00000800.00020000.00000000.sdmp, Offset: 05310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5310000_jHJQWf.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c55c3505a83443e6fdb1f282485fc56f47331b7b84d58449ae5a4cf3f3a34a58
Instruction ID: bc64c7f43653696bd13fa02cdb0b117ae86a1c3ed7107c6f59d7b89642fa0f5c
Opcode Fuzzy Hash: c55c3505a83443e6fdb1f282485fc56f47331b7b84d58449ae5a4cf3f3a34a58
Instruction Fuzzy Hash: 7F41EAB9A00305CFDB18CF99C448AAABBF6FF88314F24C459D519AB321D775A845CFA4

Function 02BCD6E1 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BCD5E6,?,?,?,?,?), ref: 02BCD6A7

Memory Dump Source

Source File: 0000000B.00000002.1370333793.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bc0000_jHJQWf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3ef88fd98cf29a7e7a5273d9a63c6784d32caebc6ec64463dc4ce00d58dccc74
Instruction ID: bb21c4a98eb26071eb5235bc1f8a466cbda3b2b73b514deab43b401ea8ddb22c
Opcode Fuzzy Hash: 3ef88fd98cf29a7e7a5273d9a63c6784d32caebc6ec64463dc4ce00d58dccc74
Instruction Fuzzy Hash: 3A317235E403849FEF04EF60F4997693BA6FB88710F20863AE9158B7D6CAB44859DF50

Function 053E7024 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,053E879D,?,?), ref: 053E884F

Memory Dump Source

Source File: 0000000B.00000002.1381533945.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_53e0000_jHJQWf.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 4b12100453eeb2715038d2b3ec5ede71d6338b62f3f69ef367262d932582318e
Instruction ID: f8d557957be76a58a3adbec7cec145cf181bc40639832046b596bb80bed90ad7
Opcode Fuzzy Hash: 4b12100453eeb2715038d2b3ec5ede71d6338b62f3f69ef367262d932582318e
Instruction Fuzzy Hash: AB31EEB5D003199FDB10CF9AD884AAEFBF5FB48320F14842AE819A7250D774A940CFA0

Function 071B68E8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071B6980

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c78e673640da858e163cb2a03c073dd538e748a999f99c52fb9e0b9eeb6185bf
Instruction ID: e683d85b56e216152dbcb7bcc520fe4acba315eb58668b411d0d074a73a13a1f
Opcode Fuzzy Hash: c78e673640da858e163cb2a03c073dd538e748a999f99c52fb9e0b9eeb6185bf
Instruction Fuzzy Hash: D12137B5900359DFDB24CFA9C880BDEBBF1FF48310F10882AE958A7240C7799A45CB60

Function 053E87B0 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,053E879D,?,?), ref: 053E884F

Memory Dump Source

Source File: 0000000B.00000002.1381533945.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_53e0000_jHJQWf.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 46bad1adadad04f1f9aa301323210ba6b687a11a6bcd3906d27b14e362721896
Instruction ID: c22713df8f5963a7940aacabb43e03ddd0c078c5acc86aa7972dc2626e919c7e
Opcode Fuzzy Hash: 46bad1adadad04f1f9aa301323210ba6b687a11a6bcd3906d27b14e362721896
Instruction Fuzzy Hash: 2C31EEB5D003099FDB10CFAAD884ADEFBF5FB48320F14842AE819A7250D775A940CFA4

Function 071B68F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071B6980

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7a9abd2e8782342b9f588d87c44b15431b374d51b360e9b6e18d11bce857fd88
Instruction ID: ff452511db164179759d5b179ff86dcde1ac0c64f9e2bd3359098069b3dbf5af
Opcode Fuzzy Hash: 7a9abd2e8782342b9f588d87c44b15431b374d51b360e9b6e18d11bce857fd88
Instruction Fuzzy Hash: 992127B59003599FDB24CFAAC880BDEBBF5FF48310F10842AE958A7240C7799940CBA4

Function 02BCB730 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BCD5E6,?,?,?,?,?), ref: 02BCD6A7

Memory Dump Source

Source File: 0000000B.00000002.1370333793.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bc0000_jHJQWf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e066e9a24fd4bef12f771cb969f78d9407f8d02d59772ab067aa9945347aae1b
Instruction ID: 9e0efecb5c28bfa8054cfdd7b992d7275a0d1846509d7183ee1ccd455b53e4bb
Opcode Fuzzy Hash: e066e9a24fd4bef12f771cb969f78d9407f8d02d59772ab067aa9945347aae1b
Instruction Fuzzy Hash: 0121E5B59002499FDB10DF9AD584ADEBBF4EB48310F14846AE959A7350D378A940CFA4

Function 071B6758 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071B67D6

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b00858c3649c47e642eb3b0324ab548efc9dba01c9564dfdec8f809956e8122f
Instruction ID: f98877b8a75782f2350413a9179fc0994a2904b742ea749a687972ffea6d840d
Opcode Fuzzy Hash: b00858c3649c47e642eb3b0324ab548efc9dba01c9564dfdec8f809956e8122f
Instruction Fuzzy Hash: DB2118B5D003099FDB24DFAAC485BEEBBF4EF48310F14842AD559A7240CB789945CFA4

Function 071B6750 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071B67D6

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 38642f714b33ad16f768a8a26517c53eff80c6f5ad895e92aad588cf470f68e7
Instruction ID: 695401c2ab59ea29673aeb011543a707334b5a40f975bc79676a60ae3e5a6aa0
Opcode Fuzzy Hash: 38642f714b33ad16f768a8a26517c53eff80c6f5ad895e92aad588cf470f68e7
Instruction Fuzzy Hash: 122138B5D003099FDB24DFAAC585BEEBBF4EF48210F14842ED559A7240CB789945CFA4

Function 071B69D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071B6A60

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d3ffa785a124b212d6b4052680724edc0d4665713530dff249c4635ed36e2063
Instruction ID: e342bc6d7366f693dcad4192234f3c88aec187ab4cffd1a4f50dc63ad7a2a7d2
Opcode Fuzzy Hash: d3ffa785a124b212d6b4052680724edc0d4665713530dff249c4635ed36e2063
Instruction Fuzzy Hash: 5C2105B1C002599FDB24CFAAD980BEEBBF1FF48310F10842AE959A7240C7799945CB64

Function 071B69E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071B6A60

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3d6241e4d50f57f16aa3113360e283d03646e587310baf205a44ac64a92d7b9c
Instruction ID: 70cce3356690da187de9cfdeb2ba145b69a66d166b54a0fe30d5e046e6b17750
Opcode Fuzzy Hash: 3d6241e4d50f57f16aa3113360e283d03646e587310baf205a44ac64a92d7b9c
Instruction Fuzzy Hash: 8D2116B1C003599FDB14CFAAC840BEEBBF5FF48310F10842AE919A7240C7799940CBA4

Function 071BA180 Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071BA1E5

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 603fe91fda58d6681c8cc722e0907b5c2bc69a1ac72e5b2389b8a57475539e76
Instruction ID: a95abb340acaf12dc5824229a7d2fb23610c706228fa64aa07644b8d30c5fe4e
Opcode Fuzzy Hash: 603fe91fda58d6681c8cc722e0907b5c2bc69a1ac72e5b2389b8a57475539e76
Instruction Fuzzy Hash: 002104BA8002499FDB20DF99D545BDEBBF8EF48320F20841AD558A7640C379A654CFA0

Function 02BCD619 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02BCD5E6,?,?,?,?,?), ref: 02BCD6A7

Memory Dump Source

Source File: 0000000B.00000002.1370333793.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bc0000_jHJQWf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b71fe29646bf17ae772739ef6a888d16e4a6db56bdfe9f397e070909c51e23e0
Instruction ID: 654b268ec6179b9a324473f90a3fad95162daa75166877f7732cd510367779a9
Opcode Fuzzy Hash: b71fe29646bf17ae772739ef6a888d16e4a6db56bdfe9f397e070909c51e23e0
Instruction Fuzzy Hash: 0C21F5B9D00209DFDB10CFAAD584ADEBBF5FB48314F24846AE958A7350C378A940CF64

Function 071B6828 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071B689E

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f1377a959dc5e65925e2ec56ed4becca1b5cada457dce7e0f2bc09d51a897b11
Instruction ID: 026b1ae2907574b498ef07deb92161141e93725814fda6dc4d614a695e770a22
Opcode Fuzzy Hash: f1377a959dc5e65925e2ec56ed4becca1b5cada457dce7e0f2bc09d51a897b11
Instruction Fuzzy Hash: 0D1159B6800349DFDB24CFAAC845BDEBBF5EF48310F14881AD959A7250C7799940CFA4

Function 071B6830 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071B689E

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 116961b47445b147dd05a7c77e4bf2f70b225f180e78ec61efb91251643ebc08
Instruction ID: 8ad1c1f0582c2a68f50c49a9680b0aa74c482fe867edb20a06bedb5bdd11c909
Opcode Fuzzy Hash: 116961b47445b147dd05a7c77e4bf2f70b225f180e78ec61efb91251643ebc08
Instruction Fuzzy Hash: 4E1126768003499FDB24DFAAD845BDEBBF5EF48310F14881AE919A7250CB799940CFA4

Function 071B6268 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071B62D2

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 766c96c609562cf9f87f3dfbefa03de5917ad3da1e94b4c482c7bfec54b5fe68
Instruction ID: e9dc8d2fb798871db69f6b175c2e2be8936c1f92885effbea9568b4124e84a0f
Opcode Fuzzy Hash: 766c96c609562cf9f87f3dfbefa03de5917ad3da1e94b4c482c7bfec54b5fe68
Instruction Fuzzy Hash: 831188B5D003498FDB24CFAAC445BEEFBF4EF48210F20881AC419A7240CB39A901CFA4

Function 071B6270 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071B62D2

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c113d0d35a6c45a3ad8b91992ddcfcfb682181d10ee1e97385302304fe9ffbea
Instruction ID: db3ecf49b13168488b04822ebb9001789a3d1817da7562a2d795958feb48693a
Opcode Fuzzy Hash: c113d0d35a6c45a3ad8b91992ddcfcfb682181d10ee1e97385302304fe9ffbea
Instruction Fuzzy Hash: AA113AB5D003498FDB24DFAAD444BDEFBF5EF48210F14881AD519A7240CB79A941CFA5

Function 071B5058 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071BA1E5

Memory Dump Source

Source File: 0000000B.00000002.1383038206.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_71b0000_jHJQWf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a7863748f47dc8b1e8a2d05fedb5c163357b7f628a627d64eb5b1d39e0536dc2
Instruction ID: 1a265f3ecdffd9ed49978128ec4f199024ff903778ac9a770e482a5cf2bb8c4d
Opcode Fuzzy Hash: a7863748f47dc8b1e8a2d05fedb5c163357b7f628a627d64eb5b1d39e0536dc2
Instruction Fuzzy Hash: 651103B5804349DFDB20DF9AD884BDEBBF8EF58310F10841AE558A7640C379A944CFA5

Function 02BCAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BCAF9E

Memory Dump Source

Source File: 0000000B.00000002.1370333793.0000000002BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2bc0000_jHJQWf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3dff1c45b3350c488ba425007793efef9bd128e77b5197dec6dfffe8115372ec
Instruction ID: 69e49be3d0ae284e86af4f31a0238e23f2070ea42161d231ff5a3f6ca419ed8c
Opcode Fuzzy Hash: 3dff1c45b3350c488ba425007793efef9bd128e77b5197dec6dfffe8115372ec
Instruction Fuzzy Hash: 871110B6C002498FCB20CF9AD444BDEFBF4EB88214F20846AD818A7600C379A545CFA1

Function 0102D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369289644.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_102d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6e5097537693146e3163fe8cce7dfa06a0aacdf0204055a78af04f73938710
Instruction ID: 4bf6f7b508f2c1ad000fed22f982e19446113eb7f80daa6a1771f4c8e2295539
Opcode Fuzzy Hash: 9e6e5097537693146e3163fe8cce7dfa06a0aacdf0204055a78af04f73938710
Instruction Fuzzy Hash: AF210671504340DFDF15DF94D9C0B2ABBA5FB99324F20C5A9ED490B256C336D81ACBA1

Function 0102D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369289644.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_102d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd2b07935708b71f0724994bcca61acbe4455ab9b1c66a828ff8317091b69a3
Instruction ID: 105290ea154e9ed6c0ff66e0e61ffa3e0df2e1a861c0b461a29b06ece8d105fb
Opcode Fuzzy Hash: 0dd2b07935708b71f0724994bcca61acbe4455ab9b1c66a828ff8317091b69a3
Instruction Fuzzy Hash: A8214571500250DFDB15DF94D9C0F2ABFA5FB88318F20C5A9E8890F256C376D846CBA2

Function 0118D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369428675.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_118d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4893cdca8600757cab1d1bfe34eca71109772857c1c1d3d25c5bbb2754b00fde
Instruction ID: 33117cb56f111f73b83bbac96b60a575996941b6638d4e150e1ebd144f7ddd6b
Opcode Fuzzy Hash: 4893cdca8600757cab1d1bfe34eca71109772857c1c1d3d25c5bbb2754b00fde
Instruction Fuzzy Hash: 1A21F271604304DFDF19EF94E9C0B16BB65EB84314F20C56DD94A4B296C33AD447CE62

Function 0118D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369428675.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_118d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51a7cb97112f6fcb75fc2a9ee7edeec6f447268c10b971379f1e82e6fd9517a
Instruction ID: bbc7eb81bb04b5be3b4608876c4c30c007e64f1c8c501470ee0cb0a0a3c630ce
Opcode Fuzzy Hash: a51a7cb97112f6fcb75fc2a9ee7edeec6f447268c10b971379f1e82e6fd9517a
Instruction Fuzzy Hash: 7121B3715043049FDF19EF94E5C0F15BB66FB84324F24C56DE9494B292C336D446CE62

Function 0102D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369289644.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_102d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ed18dbe1fbc7fec028946c4a8f46b05e137d48d9d88c732245ebcda57f4e15
Instruction ID: c7505925b141547a239473072b8a1b312b7b34e2bb49ba13450b3e8702e0b1e4
Opcode Fuzzy Hash: 34ed18dbe1fbc7fec028946c4a8f46b05e137d48d9d88c732245ebcda57f4e15
Instruction Fuzzy Hash: 6D21DF76404240CFCB06CF44D9C4B16BFB2FB85324F24C5AADD480B656C33AD82ACBA1

Function 0102D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369289644.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_102d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction ID: 2dce1d8bb9179c93f26a7e88a2c1d4b9409c3a1e207a931c19a8fa63448e685e
Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction Fuzzy Hash: 5C110372404280CFCB12CF54D5C0B16BFB1FB84318F24C6A9D8490B657C336D856CBA1

Function 0118D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369428675.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_118d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction ID: d5d3c46316ad870d51da97bf15a0ac8679640b807f70a79f316d60a5c7cbf2ed
Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction Fuzzy Hash: E211BB75504280DFCF16DF54E5C0B15BFA2FB84324F24C6AAD8494B696C33AD40ACF62

Function 0118D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369428675.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_118d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction ID: 3629884bedf4d93838aa4b693c812e0684de9c8601af1419640affd9166beb80
Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction Fuzzy Hash: 1311A975504380CFDB16DF54E584B15BBA2FB84314F24C6AAD8494B696C33AD40BCFA2

Function 0102D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369289644.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_102d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57fd318a93513a66f84b11c559b28ea5784d05f02ba35aac7e701d6935a9806
Instruction ID: 804432b214b8b355c8372229d2deef1014ee990fdf45eddbb46a11b356a13e6c
Opcode Fuzzy Hash: c57fd318a93513a66f84b11c559b28ea5784d05f02ba35aac7e701d6935a9806
Instruction Fuzzy Hash: 1601A2314043949EF7608BA5CD84B6AFBE8FF41224F18C55AED894A686D37D9C40CBB2

Function 0102D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1369289644.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_102d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8662c3487e4172589f7715e036b12f1657bd52e3f528be0ea09c53f4dce3796e
Instruction ID: 5452105b2cc533a8bfc250bd3f95aadf3fe3c1f27621e69bde9e8c75696a34cb
Opcode Fuzzy Hash: 8662c3487e4172589f7715e036b12f1657bd52e3f528be0ea09c53f4dce3796e
Instruction Fuzzy Hash: 3DF0C2310043949EE7208B0ACD84B62FFE8EF41724F18C45BED484B286C2799844CBB1

Analysis Process: jHJQWf.exePID: 7092, Parent PID: 8012COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	63%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	4

Executed Functions

Function 06BAC120 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2579506160.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6ba0000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09b8ed965b14ae4c189fce7b859b8bfa3e067cbed8673f21c8fd8f6a22462b7
Instruction ID: dc964d43016231f78c4015ccabd00114e69eac9dcd54ebec292229a5a2bb173d
Opcode Fuzzy Hash: f09b8ed965b14ae4c189fce7b859b8bfa3e067cbed8673f21c8fd8f6a22462b7
Instruction Fuzzy Hash: 99410372E083598FCB14DFA9D8046EEBFF5EF89210F1485ABD404A7281DB789940CBE1

Function 06BAC1F0 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06BAC172), ref: 06BAC25F

Memory Dump Source

Source File: 00000010.00000002.2579506160.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6ba0000_jHJQWf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e62d20f873e585e113a39b467d2c5da8aba5ab7bf17c3b828f8f0aa34f79f736
Instruction ID: e9c9c15a0634043815d5482438bdd39cd57670a768dc05f825c02b8548d713c4
Opcode Fuzzy Hash: e62d20f873e585e113a39b467d2c5da8aba5ab7bf17c3b828f8f0aa34f79f736
Instruction Fuzzy Hash: DD21ABB1D043698FDB14CFA9D8447DEBBF4EF48310F1484AAD814A7241D378A900CBA1

Function 015170B0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0151712F

Memory Dump Source

Source File: 00000010.00000002.2555845105.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1510000_jHJQWf.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 63f69a0e629ab8b373306cebb6c8ad23c726a2631262949cbc3d299be077f8c5
Instruction ID: 22667e4e8c0b04d652738d2a68628ecb9eb9082732da0b0878f4dda898c57439
Opcode Fuzzy Hash: 63f69a0e629ab8b373306cebb6c8ad23c726a2631262949cbc3d299be077f8c5
Instruction Fuzzy Hash: 092159B5D002598FDB14CF9AD544BEEBBF4FF48210F14841AE455B7650D7389944CF60

Function 015170B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0151712F

Memory Dump Source

Source File: 00000010.00000002.2555845105.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1510000_jHJQWf.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 43a5cb6f31d4305821e10c72b5a27792f0817340fbc0d2cfda8107eee28709d4
Instruction ID: a001b4091b617cbf417c40a8efee249fb731b4ebc70a9d263fe80d2e6d56a6fa
Opcode Fuzzy Hash: 43a5cb6f31d4305821e10c72b5a27792f0817340fbc0d2cfda8107eee28709d4
Instruction Fuzzy Hash: 46214871C002598FDB14CF9AD444BEEBBF4EF49210F14841AE855A7240D778A944CF61

Function 0151F018 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151F0A7

Memory Dump Source

Source File: 00000010.00000002.2555845105.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1510000_jHJQWf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ef3bd05bda8b0b74147eab8226cf0531f9780385c49067cf70e707bf44e51efe
Instruction ID: 49eb8ff645201810369571e4410e0455e867d0dbf59b46daff10634b1dc374be
Opcode Fuzzy Hash: ef3bd05bda8b0b74147eab8226cf0531f9780385c49067cf70e707bf44e51efe
Instruction Fuzzy Hash: 4721E4B5D002489FDB11CFAAD484AEEBFF5FB48310F14841AE919A7350C379A954CFA5

Function 0151F020 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151F0A7

Memory Dump Source

Source File: 00000010.00000002.2555845105.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1510000_jHJQWf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 688271ef92024d068a2b0061ac6616fdb460cffb4247e949b40b8aaecd927419
Instruction ID: 2bebcab8f1d705dc19875f9b00637c4e5cd387a7ccffc52fb70b15fdd2df7036
Opcode Fuzzy Hash: 688271ef92024d068a2b0061ac6616fdb460cffb4247e949b40b8aaecd927419
Instruction Fuzzy Hash: 8E21F3B5D002489FDB10CFAAD884ADEFBF8FB48310F14841AE919A7350C379A944CFA5

Function 01518430 Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 015184A8

Memory Dump Source

Source File: 00000010.00000002.2555845105.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1510000_jHJQWf.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 769734eeff8fd4575f18fc52db4ce20cac673bd7551d2f4b5e30cb11a090304f
Instruction ID: 2e1f598dd1483825659463e0438b0ffbd797c6f94382a8061e9e0a2218a81dd9
Opcode Fuzzy Hash: 769734eeff8fd4575f18fc52db4ce20cac673bd7551d2f4b5e30cb11a090304f
Instruction Fuzzy Hash: B62144B1C0065A9FDB24CF9AC845BDEFBF4FB48320F14812AD818A7240D778A941CFA5

Function 01518438 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 015184A8

Memory Dump Source

Source File: 00000010.00000002.2555845105.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_1510000_jHJQWf.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 29ba6525c92f04ac45ca1ce5e656bca8573f6443c392254420a31bbf42542433
Instruction ID: 34504733cfad5d57fd94c38c417413415600ec853408b229bc518afe4e97de4e
Opcode Fuzzy Hash: 29ba6525c92f04ac45ca1ce5e656bca8573f6443c392254420a31bbf42542433
Instruction Fuzzy Hash: 221122B1C0065A9BDB24CF9AC444BDEFBF4FB48220F14852AD818AB640D778A940CFA5

Function 06BAB918 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06BAC172), ref: 06BAC25F

Memory Dump Source

Source File: 00000010.00000002.2579506160.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6ba0000_jHJQWf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 5df576589218e4f5ba2fd16a9cdd4c31e932bc865c9874a5ae279fc3fcc8e2be
Instruction ID: c2b72fec38cd31df051ea005a5b69dd2b64121301c4278fb85b5df6e57452ef9
Opcode Fuzzy Hash: 5df576589218e4f5ba2fd16a9cdd4c31e932bc865c9874a5ae279fc3fcc8e2be
Instruction Fuzzy Hash: 0311F2B1C046599BDB10CF9AC444BEEFBF4EB48210F10816AE918A7240D778A944CFE5

Function 06BAC2A4 Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06BAC172), ref: 06BAC25F

Memory Dump Source

Source File: 00000010.00000002.2579506160.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_6ba0000_jHJQWf.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: fab9f685891c1ea32b2ee00eac9f5a22bc3ba168b2e6ca43888868c7d74e83e6
Instruction ID: 69d1dda54b1b18ca5c6a66a1150a223b2685a124480e3e614065b087ca0952d9
Opcode Fuzzy Hash: fab9f685891c1ea32b2ee00eac9f5a22bc3ba168b2e6ca43888868c7d74e83e6
Instruction Fuzzy Hash: 3C01D1B2C0D3959FEB219FE9C4153DCBFA0EF06224F088196C484AB182D37D9549CBE6

Function 0129D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2552978670.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_129d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c43626d0c55385be4a07d009ac37f6613bdcce8330a592a0d3f495a4939c2e5
Instruction ID: a0a8beb3d06506da35ef06bb913af420bcd7acb5cae8ef25869343655656bdf5
Opcode Fuzzy Hash: 7c43626d0c55385be4a07d009ac37f6613bdcce8330a592a0d3f495a4939c2e5
Instruction Fuzzy Hash: 0F210071524308DFDF15DF98D9C0B26BBA1EB84314F20C56DD90A0B292C37AD447DA62

Function 0129D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2552978670.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_129d000_jHJQWf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction ID: 590e876979e9b5a39c4ad36c74801949706074814d3f1349462d6bca1804a51c
Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction Fuzzy Hash: E811BB75504284CFCB12CF58D5C4B15BFA1FB84314F28C6AAD9494B656C33AD44ADB62

Analysis Process: ZUHFqcY.exePID: 7612, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	156
Total number of Limit Nodes:	8

Executed Functions

Function 059C6B6D Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059C6DAE

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 855675a02ba5c001cd489f71123418b5a176b002e86de1c427ed04f9772d1875
Instruction ID: 8224ff2accf458d3e9613197830d518057084dff43d2554aa79e88467bda1505
Opcode Fuzzy Hash: 855675a02ba5c001cd489f71123418b5a176b002e86de1c427ed04f9772d1875
Instruction Fuzzy Hash: 7B916D71D00219DFDB24CFA9C844BEDBBB6FF49310F0481AAE819A7240DB759985CF92

Function 059C6B78 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 059C6DAE

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a5ac140b1050c9a82569bee02ed6188de7576d17c9a536ed2f65d3e4f8a97b00
Instruction ID: b76a5b15594350a9abd38f46cc70e0000bba0086a1d7d005404f7ffbd971fab0
Opcode Fuzzy Hash: a5ac140b1050c9a82569bee02ed6188de7576d17c9a536ed2f65d3e4f8a97b00
Instruction Fuzzy Hash: 2E915C71D00619DFDB24CFA9C844BEDBBB6FF49300F0481AAE819A7240DB759985CF92

Function 024DAD48 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024DAF9E

Memory Dump Source

Source File: 00000011.00000002.1444617723.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_24d0000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6fb24537fb7d0805f19617a53b991be8b83626799ea872914b5b409c2d18a8b3
Instruction ID: 09f0efd29b8a6251ad4116c50c68a47af83a15cf7b484ef49b268138006f6db2
Opcode Fuzzy Hash: 6fb24537fb7d0805f19617a53b991be8b83626799ea872914b5b409c2d18a8b3
Instruction Fuzzy Hash: FD812570A00B158FDB24DF6AD05575ABBF1FF88304F04892ED48A9BB50DB75E846CB91

Function 024D590D Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 024D59C9

Memory Dump Source

Source File: 00000011.00000002.1444617723.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_24d0000_ZUHFqcY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e7fdeef5105fde780fe2683e86543fe67f40d8a26b00b568f162321d00e42e9e
Instruction ID: a1a9bf2aaa1812f7f1e85c58c1683ebb10f1b4bf3dabe32d981e11a5dbd90998
Opcode Fuzzy Hash: e7fdeef5105fde780fe2683e86543fe67f40d8a26b00b568f162321d00e42e9e
Instruction Fuzzy Hash: 9341B271C00719CFEB24CFA9C88479EBBB5FF49304F60856AD408AB251DB75694ACF50

Function 024D44E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 024D59C9

Memory Dump Source

Source File: 00000011.00000002.1444617723.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_24d0000_ZUHFqcY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7c368db2163b8239c56310e8c60a738f903c0e0ff04833d73424fa1e147f50f5
Instruction ID: a5d823eda3b6c0ead609f0ef758d1a017e102b53dce0518f56a7d01a3125a604
Opcode Fuzzy Hash: 7c368db2163b8239c56310e8c60a738f903c0e0ff04833d73424fa1e147f50f5
Instruction Fuzzy Hash: 8E41A271C00729CFEB24DFA9C844B9EBBB5FF49304F60805AD419AB251DB75694ACF90

Function 024DD6E1 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024DD5E6,?,?,?,?,?), ref: 024DD6A7

Memory Dump Source

Source File: 00000011.00000002.1444617723.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_24d0000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c24fc7c6f10c82412a222de0882601bb603fcc778c498f61461925ac289367cb
Instruction ID: 8e63309f95ff2c225f91daf6e88532fc043e99cef59551e80caf14d26ecae80b
Opcode Fuzzy Hash: c24fc7c6f10c82412a222de0882601bb603fcc778c498f61461925ac289367cb
Instruction Fuzzy Hash: 5E31C2746403809FE701EF60E465B697BB1F788714F11852AEA118B3E5EABC9C56CF20

Function 059C68E8 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059C6980

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f0b2a6afae1be58a343c9c06dd0b5b43b9970f5c96f3ebc48b2b9756506b91f8
Instruction ID: 5116666d3cbf589e139adebd8be63ce55f5d183e68d07ce37261f0f39f44dc5e
Opcode Fuzzy Hash: f0b2a6afae1be58a343c9c06dd0b5b43b9970f5c96f3ebc48b2b9756506b91f8
Instruction Fuzzy Hash: 9E2128759003599FDB10DFAAC841BDEBBF5FF48310F10842AE959AB250C7799940CBA5

Function 059C68F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059C6980

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d26cf97879aaf25d4fe459c818421ee72a4b14107093358abcf236120c43a1b8
Instruction ID: 322d72c9e991fbc04bedc228b06b99cb1db269fae563894ebbe424735f8c46c7
Opcode Fuzzy Hash: d26cf97879aaf25d4fe459c818421ee72a4b14107093358abcf236120c43a1b8
Instruction Fuzzy Hash: 442125759003499FDB10CFAAC880BEEBBF5FF48310F10842EE959AB240C7799940CBA5

Function 024DB730 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024DD5E6,?,?,?,?,?), ref: 024DD6A7

Memory Dump Source

Source File: 00000011.00000002.1444617723.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_24d0000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bbe5bf2cf2a97792410499d54640fca6b1a65bc0aa6a205b7772274885c5a631
Instruction ID: 6eac1ae2ffe97af9491eba52e13065d3059438ed3c8449218b0414571e13a8f4
Opcode Fuzzy Hash: bbe5bf2cf2a97792410499d54640fca6b1a65bc0aa6a205b7772274885c5a631
Instruction Fuzzy Hash: E321E4B5D00248EFDB10CF9AD584ADEFBF4EB48710F14801AE918A7350D778A950CFA4

Function 024DD619 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024DD5E6,?,?,?,?,?), ref: 024DD6A7

Memory Dump Source

Source File: 00000011.00000002.1444617723.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_24d0000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5e33a9855c7e21408b141b995395c9adebe9f79a98ba484c2e434ee24a783115
Instruction ID: 4618282679aef89a5cfc78831ecbe6263a21f300f2d457d82339812af04ece94
Opcode Fuzzy Hash: 5e33a9855c7e21408b141b995395c9adebe9f79a98ba484c2e434ee24a783115
Instruction Fuzzy Hash: C621E2B5D00248EFDB10CFAAD584ADEBBF5EB48310F14802AE958A7350C379A945CFA4

Function 059C6758 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059C67D6

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4a75cde79fb96470dddc24c1ffb47e3997d00a6656cabbbe113dc1c5403bbe9f
Instruction ID: 15d4fad8070915b19fd7841ff00ec4d9c91be8d5eef6f1f42c33230e23fe0589
Opcode Fuzzy Hash: 4a75cde79fb96470dddc24c1ffb47e3997d00a6656cabbbe113dc1c5403bbe9f
Instruction Fuzzy Hash: 79210475D003099FDB14DFAAC485BEEBBF4EF88220F14842ED559A7240CB78A945CFA5

Function 059C69D8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059C6A60

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6cd95287c5f66939a73960a6e4b865115310afcd6f1a650cc7d0de1bcf6246e7
Instruction ID: 953f191b182f6dcb1cee7a6ae83a2afa359b9a24013649cb228094bbed24866e
Opcode Fuzzy Hash: 6cd95287c5f66939a73960a6e4b865115310afcd6f1a650cc7d0de1bcf6246e7
Instruction Fuzzy Hash: 162105B5C003499FDB14CFAAC981BEEBBF5FF48310F10842AE919A7250D7389944CBA5

Function 059C69E0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 059C6A60

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 355f9e6dca5bde5014a7f65a2e3356f932e028de32818653961a39eda5e1862e
Instruction ID: 4277d8cee18a6eb9ff3e58536dbd5ebf684aa0dbd0c4c15efa1102f4dd2451c3
Opcode Fuzzy Hash: 355f9e6dca5bde5014a7f65a2e3356f932e028de32818653961a39eda5e1862e
Instruction Fuzzy Hash: A021E3718003599FDB14DFAAC880BEEBBF5FF48310F50842AE959A7250DB799940CBA5

Function 059C6750 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059C67D6

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7e2769c7674a6ad989bba306d3315104998bcb1e80c8c051f40dc4a7c26eaf51
Instruction ID: c8917a7d7b94b4cd49248d144b06c2cd7784b29615b0116f8d90639697574cf5
Opcode Fuzzy Hash: 7e2769c7674a6ad989bba306d3315104998bcb1e80c8c051f40dc4a7c26eaf51
Instruction Fuzzy Hash: 3F213475D003488FDB14CFAAC485BEEBBF4EF48210F14882ED559A7640CB789A45CFA5

Function 059C6830 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059C689E

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ad038943d3143300515e2ef6160fef7a7809ae6ab92208b9e01f9d711cc0ceb
Instruction ID: 095e5082fbaa16e94e2379934b4021e823c3d570d3227bc3093aa412804cce33
Opcode Fuzzy Hash: 8ad038943d3143300515e2ef6160fef7a7809ae6ab92208b9e01f9d711cc0ceb
Instruction Fuzzy Hash: F91126758003489FDB24DFAAC844BDEBBF5EF88310F14841AE919A7250CB799940CBA5

Function 059C6828 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059C689E

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ec523abd4141a2e4ac5c9ae6ac0abe202a4e093f5dd38a9247cd56361672d36e
Instruction ID: e50bde57fb6bc383f3a86935b401aacfab0193eb13248535020e9b00bab554d5
Opcode Fuzzy Hash: ec523abd4141a2e4ac5c9ae6ac0abe202a4e093f5dd38a9247cd56361672d36e
Instruction Fuzzy Hash: FB1126769003489FDF24DFAAC845BDEBFF5EF48310F14881AE959A7250CB799940CBA4

Function 059C6268 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 059C62D2

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f54549790345e00795cc9cb4e5d37e3b9040508228972d7f816ff1e1543c2bbb
Instruction ID: 91b8bb21236ee5b872f0b500344f7786960e296a995a660e16b916891187a6f8
Opcode Fuzzy Hash: f54549790345e00795cc9cb4e5d37e3b9040508228972d7f816ff1e1543c2bbb
Instruction Fuzzy Hash: A0112875D007488FDB24DFAAC4447DEBBF5EF88320F14841ED559A7240CB799940CBA5

Function 059C6270 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 059C62D2

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4045a59c0d332187b5f4bff8edf6701f2f790fa060cc9103cedf5f8c6f861f41
Instruction ID: 63ff0972ce5962673916a24efff10f1498bb412fd1dc4a43e997203603945d3d
Opcode Fuzzy Hash: 4045a59c0d332187b5f4bff8edf6701f2f790fa060cc9103cedf5f8c6f861f41
Instruction Fuzzy Hash: D1113671D003488FDB24DFAAC444BDEFBF5EF88220F24841ED559A7240CB79A940CBA5

Function 024DAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 024DAF9E

Memory Dump Source

Source File: 00000011.00000002.1444617723.00000000024D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_24d0000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 479f14402e46b9dffffd301328685406ec08440be9d2f275915c7ec7b9acdc16
Instruction ID: dae8e9a71980f3110234babd45fc12e26749c84424b0760a10a8821d0d8c1d24
Opcode Fuzzy Hash: 479f14402e46b9dffffd301328685406ec08440be9d2f275915c7ec7b9acdc16
Instruction Fuzzy Hash: 4B111DB6C006598FCB20CF9AC444BDEFBF4EF88224F10846AD829A7710C379A545CFA5

Function 059C5024 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 059CA125

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 142c7e0c0a691047c4b64a1d244d74d23aaf3b140b0ec26081094f406e0980ff
Instruction ID: 178562b797c80f86dc624af9ad1b7658e31070ed1420f4f9a6dae5befbf67e40
Opcode Fuzzy Hash: 142c7e0c0a691047c4b64a1d244d74d23aaf3b140b0ec26081094f406e0980ff
Instruction Fuzzy Hash: 5A11F2B580074C9FDB20CF9AC944BDEBFF8EB48314F10845AE918A7650C379A944CFA5

Function 059CA0C2 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 059CA125

Memory Dump Source

Source File: 00000011.00000002.1449569160.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_59c0000_ZUHFqcY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6016ce9787f2e383830a2423eeb0e99d96facb20acbaae92ce7443f67e787688
Instruction ID: 3fa0cb4af090cf37216cef16e8e714dca28eb5ad49a1d8f1da8372cc7203e2ac
Opcode Fuzzy Hash: 6016ce9787f2e383830a2423eeb0e99d96facb20acbaae92ce7443f67e787688
Instruction Fuzzy Hash: E41100B5800348DFDB20CF9AD984BDEBBF8FB48324F10841AE518A7650C379A944CFA5

Function 00CCD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1444283412.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ccd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b010d25de5e87486db4363b7c81dad82cdb412e2a49fcd6ff20e77dc4996ec63
Instruction ID: 98dda973e9aef7d333ba32c2b268211ea8e20002af8b0ebb17cd2953e227a403
Opcode Fuzzy Hash: b010d25de5e87486db4363b7c81dad82cdb412e2a49fcd6ff20e77dc4996ec63
Instruction Fuzzy Hash: 1421FFB2500240DFDB15DF14D9C0F26BB65FB88318F2085BDE90A0B656C336D956DAA2

Function 00CDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1444336133.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_cdd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6571a8eab5bfc8b8a3fe7ad68296a32e186dc44e6ed7da5ed336416ab7d3e169
Instruction ID: 5d0b660329910260baae557711a69fe429018b2e93b605bd2799a15145a30131
Opcode Fuzzy Hash: 6571a8eab5bfc8b8a3fe7ad68296a32e186dc44e6ed7da5ed336416ab7d3e169
Instruction Fuzzy Hash: 1121F571904304DFDB14DF14D9C0B16BB65EBC4314F24C56EDA0A4B396C33AE847CA62

Function 00CDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1444336133.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_cdd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fefd96c65c6182f17764302a5b0c9f1f68f4e294ef3a5908c32272138234ab64
Instruction ID: 9a852974d570f929c2244ba834eb61b7be9ce87bb64ff88455b0f1613259fd42
Opcode Fuzzy Hash: fefd96c65c6182f17764302a5b0c9f1f68f4e294ef3a5908c32272138234ab64
Instruction Fuzzy Hash: 5321B071904204AFDB15DF54D9C0B26BBA5FB84314F24C5AEEA4A4B792C33ADC46CA61

Function 00CDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1444336133.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_cdd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7882f408df12d1269cec8ca58a3b41e82c6a7a05fa8894fcab3958b9a317b0
Instruction ID: d19c053f32740d13dfdf784d4b033025dd7d42e30f10dcb1c9c18eb54d1f1d33
Opcode Fuzzy Hash: ea7882f408df12d1269cec8ca58a3b41e82c6a7a05fa8894fcab3958b9a317b0
Instruction Fuzzy Hash: 8E218E755093808FCB12CF24D990715BF71EB86314F28C5EBD9498F6A7C33A980ACB62

Function 00CCD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1444283412.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ccd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction ID: 0d9a4de46913f3c0107907a1a4695d50566c242240a52d45ded176aa29cacacd
Opcode Fuzzy Hash: 5f425b5cd1c464f0a4a5253a28fe3054bde847c9d27b32d63737858cb099eba0
Instruction Fuzzy Hash: 0B11D3B6504280CFCB15CF10D9C4B16BF71FB94318F24C6ADD84A0B656C336D956CBA1

Function 00CDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1444336133.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_cdd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction ID: 1bafd62294cc6f26c5616109b6a59bec85dc0d0aa60f45f1e6a797d456d29401
Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction Fuzzy Hash: F211BB75904280DFCB11CF10D5C0B15FBB1FB84314F24C6AAD94A4B796C33AD84ACB61

Function 00CCD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1444283412.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ccd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0186115e58b76a96c3328d7a68c08bca0487be8a256f0dabb9ccb949f7316f2
Instruction ID: 44aebad748da1ca8265bb960208271d954cbc401ab3e167f5dff8fa83bf313b5
Opcode Fuzzy Hash: e0186115e58b76a96c3328d7a68c08bca0487be8a256f0dabb9ccb949f7316f2
Instruction Fuzzy Hash: 8A01DB31404744AEE7205B16DD84F66FBE8DF41320F18856EED1A4F28AC77D9840CB75

Function 00CCD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1444283412.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ccd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0163e34f196adda56560780e783d684cce4333894dc8fd95f2a17c5173dd212
Instruction ID: 1fc3c424713af328391ff9dae7c57670a3068bdb5d5e7484fcfea3eceb27c31c
Opcode Fuzzy Hash: c0163e34f196adda56560780e783d684cce4333894dc8fd95f2a17c5173dd212
Instruction Fuzzy Hash: BDF0C231404344AEE7208A06DC84B62FFA8EF51724F18C45EED194F286C3799840CBB5

Analysis Process: ZUHFqcY.exePID: 7744, Parent PID: 7612COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	58.3%
Signature Coverage:	0%
Total number of Nodes:	24
Total number of Limit Nodes:	4

Executed Functions

Function 06ABC110 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.1533331904.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6ab0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2281c8779971737598cf372dd05bda34a8d3f2f5499fdaefa60e880a92258c43
Instruction ID: e75a6968d16c5a40d630d617f3a59e6b83ab6a022656c2eba1eb91ee01e71523
Opcode Fuzzy Hash: 2281c8779971737598cf372dd05bda34a8d3f2f5499fdaefa60e880a92258c43
Instruction Fuzzy Hash: F24106B2D043568FDB14DFA5E8007DEBBB5AF89310F19856BC415EB252DB349841CBD0

Function 02D670B0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02D6712F

Memory Dump Source

Source File: 00000014.00000002.1513428237.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2d60000_ZUHFqcY.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: b5305f38b1b34e2a402dd7fbdf5f32418a61315edda779427919b3c1e79c6dfc
Instruction ID: fdca99f1513d49f2fb3a937ef8ea3e705a7739cfcdf66377659fe5d318f4c9a4
Opcode Fuzzy Hash: b5305f38b1b34e2a402dd7fbdf5f32418a61315edda779427919b3c1e79c6dfc
Instruction Fuzzy Hash: 0F2175B2D002198FDB14CFAAD984BEEFBF4EF48224F14841AE858A3340C7389944CF60

Function 02D670B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02D6712F

Memory Dump Source

Source File: 00000014.00000002.1513428237.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2d60000_ZUHFqcY.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: dc57f7df5038c54da41011f2ef3900672140c1e97a3d02e74735d64c91a698f3
Instruction ID: e0ef75ce9a62655e635c6766eca7354704f31a195bdd55fcedc1525dde3e5057
Opcode Fuzzy Hash: dc57f7df5038c54da41011f2ef3900672140c1e97a3d02e74735d64c91a698f3
Instruction Fuzzy Hash: 772145B29002598FDB10CF9AD884BEEFBF4EF48224F14841AE858A3340D778A944CF60

Function 02D6EEF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D6EF7F

Memory Dump Source

Source File: 00000014.00000002.1513428237.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2d60000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6b13bfa1ba0039a43252dbce5254334ee11313625418811205688f2d55e760c0
Instruction ID: 02489e1cd04b7d6d62b2890179b5c616a8cc578c8c0f763647f3609044553c07
Opcode Fuzzy Hash: 6b13bfa1ba0039a43252dbce5254334ee11313625418811205688f2d55e760c0
Instruction Fuzzy Hash: 8121E4B5D002489FDB10CF9AD584AEEBBF5EB48310F14801AE959A7350D379A954CFA0

Function 02D6EEF8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D6EF7F

Memory Dump Source

Source File: 00000014.00000002.1513428237.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2d60000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7cef867eca43e8d058b8ca1c538c9b0e93115db837f654037203dd17fa164cdd
Instruction ID: d73f99da33c30dd93dce06a35e8b0892355eecb399442466107198a3f26a2122
Opcode Fuzzy Hash: 7cef867eca43e8d058b8ca1c538c9b0e93115db837f654037203dd17fa164cdd
Instruction Fuzzy Hash: F621C4B5D002489FDB10CF9AD984AEEBBF5EB48310F14841AE958A7350D379A944CFA5

Function 06ABC1F8 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 06ABC25F

Memory Dump Source

Source File: 00000014.00000002.1533331904.0000000006AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_6ab0000_ZUHFqcY.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a66df68e9b52cdaee95f6633e04cf3f6e50fa980d062674dcae1eddced028b97
Instruction ID: 3bfa6fc0d4b38edf2e5284f622ac329695f98ca275a04e95167ab928446c5824
Opcode Fuzzy Hash: a66df68e9b52cdaee95f6633e04cf3f6e50fa980d062674dcae1eddced028b97
Instruction Fuzzy Hash: 9B1123B1C006599FCB10DF9AD444BDEFBF4EF48320F10816AD818A7241D778A944CFA5

Function 0141D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1512969480.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_141d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260fd357c7a824321ac1be912deb4f6f4fce1861d1b2a5bba01f5ce2ecf94aba
Instruction ID: db3c84e6a0c7d7c72a004f397bcb9c6e878309e60cd8e3447b72340481861f08
Opcode Fuzzy Hash: 260fd357c7a824321ac1be912deb4f6f4fce1861d1b2a5bba01f5ce2ecf94aba
Instruction Fuzzy Hash: C23189B15093C48FCB13CF64C894701BF71AB46214F29C5DBD9898F2A7C23A980ACB62

Function 0141D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1512969480.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_141d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37a33ca21c0b9cbecd34a24d563563b7c6cea30d80d9e312bcc583b99402448
Instruction ID: 39cb0959db9eef103075429e3e022b6e93f87f0006b92995d4f586abfc977ea9
Opcode Fuzzy Hash: b37a33ca21c0b9cbecd34a24d563563b7c6cea30d80d9e312bcc583b99402448
Instruction Fuzzy Hash: 2A2103F1904204DFDB15DF94D984B16BF61EB84318F20C56ED80A0B36AC33AD447CA62

Analysis Process: ZUHFqcY.exePID: 7532, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	241
Total number of Limit Nodes:	15

Executed Functions

Function 05CA6230 Relevance: .8, Instructions: 792COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bd00222b8636f9194e02e87bd49b40c925bf05694f853b782bfa10bbadc3c7
Instruction ID: a6920ef408c7b0c3d4c46d0092c7bcbdb7ebd620bc14c6c69957ce28af6936f1
Opcode Fuzzy Hash: 29bd00222b8636f9194e02e87bd49b40c925bf05694f853b782bfa10bbadc3c7
Instruction Fuzzy Hash: BD626172A0410ADFCB15CF68C584AAEBFF2FF48314F198969E4069B265D770ED81CB61

Function 0306D3C9 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0306D456
GetCurrentThread.KERNEL32 ref: 0306D493
GetCurrentProcess.KERNEL32 ref: 0306D4D0
GetCurrentThreadId.KERNEL32 ref: 0306D529

Memory Dump Source

Source File: 00000016.00000002.1532452954.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_3060000_ZUHFqcY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 95e3d817e6e526f8fe7f538d70d5c6c643e8e1080eec255ccd81252075ce4c86
Instruction ID: ab73ee0d1f311da2de17efa20f7b1e3b3df75f306b4f04afd26be168b204abe2
Opcode Fuzzy Hash: 95e3d817e6e526f8fe7f538d70d5c6c643e8e1080eec255ccd81252075ce4c86
Instruction Fuzzy Hash: B15157B0A023098FDB14DFAAD548BDEBBF1EF48304F248459D409A77A0D779A944CF65

Function 0306D3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0306D456
GetCurrentThread.KERNEL32 ref: 0306D493
GetCurrentProcess.KERNEL32 ref: 0306D4D0
GetCurrentThreadId.KERNEL32 ref: 0306D529

Memory Dump Source

Source File: 00000016.00000002.1532452954.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_3060000_ZUHFqcY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3a1538ddcefcde16069a17e733d185076bbf5717383bea0ec4c345e673964679
Instruction ID: 8bcee8426426a4f7561a58e076a72af0e06249967b8d8ca219fe2331bb62002d
Opcode Fuzzy Hash: 3a1538ddcefcde16069a17e733d185076bbf5717383bea0ec4c345e673964679
Instruction Fuzzy Hash: B85164B09013098FDB14DFAAD548BDEBBF1EF88304F248059E409A77A0D779A944CF65

Function 073C6B71 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073C6DAE

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7f051617f1f4ce50b153345001fcb1a22a19de27998f5935874a6dc88afa5d9f
Instruction ID: 3c7f139135cdbe8430aba7cf557e207adeaa8d7ef05bfc90fbf5decad963170a
Opcode Fuzzy Hash: 7f051617f1f4ce50b153345001fcb1a22a19de27998f5935874a6dc88afa5d9f
Instruction Fuzzy Hash: 6E9159B1D00219CFEB24CF69C941BEDBBB2EF48310F1481AEE849A7240DB759985CF91

Function 073C6B78 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073C6DAE

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d3205c9e7a22c50f8e3ae6a391ed6b4635b20680530593418981a2389c32e763
Instruction ID: 90b134649b5ebea935ace3300aa972004def0ca82e0f8c6c0e547c97ef0cc2ac
Opcode Fuzzy Hash: d3205c9e7a22c50f8e3ae6a391ed6b4635b20680530593418981a2389c32e763
Instruction Fuzzy Hash: 18914AB1D00219CFEB24CF69C941BEDBBB2FF48310F0481AAE849A7240DB759985CF91

Function 0306AD48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0306AF9E

Memory Dump Source

Source File: 00000016.00000002.1532452954.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_3060000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c5c038ada357af2870b0d26548581a229ca6f9ffbe11cb3959f2d31db643877a
Instruction ID: 1669ec8ef95272d5fcbc037591954ee80f8733180f273a4fb478953f7d8ebd6a
Opcode Fuzzy Hash: c5c038ada357af2870b0d26548581a229ca6f9ffbe11cb3959f2d31db643877a
Instruction Fuzzy Hash: 717143B0A01B058FD764EF6AD44079AB7F5FF88304F048A2AD44AEBB44D779E845CB91

Function 0306590D Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030659C9

Memory Dump Source

Source File: 00000016.00000002.1532452954.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_3060000_ZUHFqcY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9fb71a53da1cfccad90485d4e48a1f855ca61cb641b8489cd45ef9b94c1c1e9e
Instruction ID: ab00a92e13981613b26c38744356804c04f667eb1b54b99e37b4de95fe01ebd7
Opcode Fuzzy Hash: 9fb71a53da1cfccad90485d4e48a1f855ca61cb641b8489cd45ef9b94c1c1e9e
Instruction Fuzzy Hash: 6141DD70C0161DCFDB24DFA9C884B9DBBB2BF49304F24815AD408AB255DB75594ACF50

Function 030644E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030659C9

Memory Dump Source

Source File: 00000016.00000002.1532452954.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_3060000_ZUHFqcY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b7159c97ea26e16b0dfa5525dbbb81541378c0850ff8ff2fa3af9a2bcd75e461
Instruction ID: 1d6e1ea369f398349604704031f904c8b918191a2b311489a456f39b3ae497aa
Opcode Fuzzy Hash: b7159c97ea26e16b0dfa5525dbbb81541378c0850ff8ff2fa3af9a2bcd75e461
Instruction Fuzzy Hash: 2341BC70C0171DCFDB24CFA9C884B9EBBF5AF49304F24806AD418AB255DB75694ACF90

Function 0306D6E1 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0306D6A7

Memory Dump Source

Source File: 00000016.00000002.1532452954.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_3060000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4f5cb5433efa50038e25d0feb6abb2050283dcd86c704d7921abe2acc4a72629
Instruction ID: 46d4d790c38a1e5df8645399d01ac6fcfe5d415425d9c9ab2c56d3b2f2c16584
Opcode Fuzzy Hash: 4f5cb5433efa50038e25d0feb6abb2050283dcd86c704d7921abe2acc4a72629
Instruction Fuzzy Hash: 9031C2346613C4CFE704EFA5E5857A93BA2F788310F24806AE9019B7E4CAB94899CF11

Function 073C68E8 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073C6980

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 68205f1ea4756f9a0b6dfaa14a442c7661fb3299284a86cffc3955ca4e171a4a
Instruction ID: 3b80d9ddcd3f2675dfe87e7a5ac9a5ca85813397c4ac1beeec624f5f28d660e9
Opcode Fuzzy Hash: 68205f1ea4756f9a0b6dfaa14a442c7661fb3299284a86cffc3955ca4e171a4a
Instruction Fuzzy Hash: 522125B59003499FDF14CFAAC881BEEBBF1BF48310F14846EE959A7240C7789945CBA5

Function 05697024 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0569879D,?,?), ref: 0569884F

Memory Dump Source

Source File: 00000016.00000002.1542534939.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5690000_ZUHFqcY.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: e0cdd59942035e31353b60e6a088edcc0ed8df3316e7f2fe458dd2dad201bbfd
Instruction ID: 81c7c0309a42229e8cee96153c51ea34137addc1dd76680f6ab3733d5f201349
Opcode Fuzzy Hash: e0cdd59942035e31353b60e6a088edcc0ed8df3316e7f2fe458dd2dad201bbfd
Instruction Fuzzy Hash: D031D1B5D003099FDF14CF9AD984ADEBBF9FB48210F14842AE919A7710D774A944CBA0

Function 056987B0 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0569879D,?,?), ref: 0569884F

Memory Dump Source

Source File: 00000016.00000002.1542534939.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5690000_ZUHFqcY.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 436983f6850273d79f80f794d88a822820d8bf63c7f24e8cccfd08a683bbe76a
Instruction ID: b49080a515610ac96f7e7c78c8040ab475e6cf48809303c87f79a815a68af9bd
Opcode Fuzzy Hash: 436983f6850273d79f80f794d88a822820d8bf63c7f24e8cccfd08a683bbe76a
Instruction Fuzzy Hash: 0A31DFB5D003099FDB14CF9AD984ADEBBF9BB48220F14842AE819A7710D775A940CFA0

Function 073C68F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073C6980

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 96e2a7fcd16a1137c6c985f6180bbc7186bee0bf91829e00e1e3589625260ef4
Instruction ID: 0eb5c6332dc9c1dc71cee12ddfbdb023b96937c9316d9f25ae3acc129271921c
Opcode Fuzzy Hash: 96e2a7fcd16a1137c6c985f6180bbc7186bee0bf91829e00e1e3589625260ef4
Instruction Fuzzy Hash: 152124B59003499FDB14CFAAC881BEEBBF5FF48310F10842AE958A7240C7799940CBA4

Function 073C6750 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073C67D6

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ff497cfa791800c294acb95e350f79de03aa26991ed6a2b42130e16b014dff8b
Instruction ID: c86dbd75fae89258a7e4bf550a10404b1f4e421bdf942fd5ae109173d398fe39
Opcode Fuzzy Hash: ff497cfa791800c294acb95e350f79de03aa26991ed6a2b42130e16b014dff8b
Instruction Fuzzy Hash: 352145B5D003498FDB14CFAAC485BEEBBF4AF88210F14882ED459A7641CB789944CFA0

Function 073C69D8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073C6A60

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3809a38f5ee554d801bd60450c2b26d13204f8668c601700490eb7dad6be220c
Instruction ID: d1f3383e4b919408650dd216614b936d5f3d4ec350698522218fdd26e7f72217
Opcode Fuzzy Hash: 3809a38f5ee554d801bd60450c2b26d13204f8668c601700490eb7dad6be220c
Instruction Fuzzy Hash: 192124B5C003499FDB14CFAAC881AEEBBF1FF48310F14842EE959A7250C7799940CBA5

Function 073C6758 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073C67D6

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ec17f5874371a25438a9e2654f84b3dbcb297e5651b48848d9ab7530e0b043b4
Instruction ID: fd357ac73e4eecfdfb9b75f6f4f9e2d0b5a493db39fc7d4ceea189344c64d2e4
Opcode Fuzzy Hash: ec17f5874371a25438a9e2654f84b3dbcb297e5651b48848d9ab7530e0b043b4
Instruction Fuzzy Hash: EB2134B5D003098FDB14DFAAC485BEEBBF4EF48220F14882ED559A7240CB789944CFA4

Function 073C69E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073C6A60

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5e5f27c7987f8f4fcd072c9bc01a757da280bf80c994a6c3043ea42a1a7832b6
Instruction ID: 64492c8cb771f2e82320bb7ce6f648b3ff71276d33074234e770c9cc0f7886d0
Opcode Fuzzy Hash: 5e5f27c7987f8f4fcd072c9bc01a757da280bf80c994a6c3043ea42a1a7832b6
Instruction Fuzzy Hash: 952105B5C003499FDB14CFAAC881BEEBBF5FF48310F14842AE958A7250C7799940CBA4

Function 073CA0C2 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073CA125

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 055b5de040c27604208e1723061c2088de3ea65b2e62f1143534c5d3bed3bee9
Instruction ID: f4b0d921d646bfa4e18437a0b16b7da0148ea0acee89acef0d148d0227139060
Opcode Fuzzy Hash: 055b5de040c27604208e1723061c2088de3ea65b2e62f1143534c5d3bed3bee9
Instruction Fuzzy Hash: 622127B68003499FEB20CF99D444BDEFBF4EB48324F20855ED559A7610C379A944CFA5

Function 0306D619 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0306D6A7

Memory Dump Source

Source File: 00000016.00000002.1532452954.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_3060000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3b7691a8a3c98e93e76a9bc254d181cae1ca4e489d16021dec0c1be3fee60058
Instruction ID: c192ef617cdda4ed44ddc737508741108700355c6788300841bf64575b3a39ad
Opcode Fuzzy Hash: 3b7691a8a3c98e93e76a9bc254d181cae1ca4e489d16021dec0c1be3fee60058
Instruction Fuzzy Hash: 5621E2B5D012089FDB10CFAAD984AEEBBF5EF48314F14841AE958B7350D378A940CF64

Function 0306D620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0306D6A7

Memory Dump Source

Source File: 00000016.00000002.1532452954.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_3060000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 71b405661adb1e36d161e7433794d814c884aba077e9aeb8a89c20f3cbf4f9fd
Instruction ID: 8556dfce807277c62745e7102cb2a57ded29e1bd07bba11bbd9558d24ccf0b9e
Opcode Fuzzy Hash: 71b405661adb1e36d161e7433794d814c884aba077e9aeb8a89c20f3cbf4f9fd
Instruction Fuzzy Hash: 6521E2B5D003489FDB10CFAAD984ADEFBF8EB48310F14801AE958A7350C379A940CFA4

Function 073C6828 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073C689E

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e398aadb73722ac8850d8da4a09ea2a5584c7222c70662ce9c7ed1868065ff0b
Instruction ID: 6ce310240129fd51c2f684511137be47aa081e0cd09f99443453e409270af50f
Opcode Fuzzy Hash: e398aadb73722ac8850d8da4a09ea2a5584c7222c70662ce9c7ed1868065ff0b
Instruction Fuzzy Hash: 5E1136758003489FDF24CFAAC845BDEBBF1AF88314F14881DD959A7650CA799940CFA0

Function 073C6268 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073C62D2

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 25ac71ee390010e4edbee517d55fff2ad21a35a5029b4a991d79c72cb0d8fe81
Instruction ID: 321e20a481829c1cef5bb18cedf13fd14f384f7f04c7bb84b22a2934652d5a60
Opcode Fuzzy Hash: 25ac71ee390010e4edbee517d55fff2ad21a35a5029b4a991d79c72cb0d8fe81
Instruction Fuzzy Hash: 301137B5D003488FDB24DFAAC445BEEBBF5EF88214F24881EC459A7640CB799941CF95

Function 073C6830 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073C689E

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6cb480ff1163a94cefb13065061d017a563b3eb7199eb8f93234ccef4bc28138
Instruction ID: cd6a08771bcec0fa8f9d6374fc62ab0603ae28837246b7f9db1d9dac9dd99aa9
Opcode Fuzzy Hash: 6cb480ff1163a94cefb13065061d017a563b3eb7199eb8f93234ccef4bc28138
Instruction Fuzzy Hash: 4E1114758003499FDB24DFAAC845BDEBBF5EF88314F14881AE919A7250CB799940CBA4

Function 073C6270 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073C62D2

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0c9b3aaa1b211aa230bf0b55dd3ca67859bdda237d281458351bfc409f78e21e
Instruction ID: 3aed1da97e42815872f34779e4b4c85fbfc18906497a285d7d0f0eb9cdb490f7
Opcode Fuzzy Hash: 0c9b3aaa1b211aa230bf0b55dd3ca67859bdda237d281458351bfc409f78e21e
Instruction Fuzzy Hash: 821128B5D003488FDB24DFAAC445BDEFBF5EF48214F14841ED559A7240CA79A940CBA5

Function 073C5024 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073CA125

Memory Dump Source

Source File: 00000016.00000002.1543884159.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_73c0000_ZUHFqcY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7ce9386e36a0593323e585b81f89c030620a2add40f32dfa236a4650cadfddbf
Instruction ID: 42eace635dfc6a651e0ca251ce6562c9940593f6467b9735ef5d1a0564606836
Opcode Fuzzy Hash: 7ce9386e36a0593323e585b81f89c030620a2add40f32dfa236a4650cadfddbf
Instruction Fuzzy Hash: 831103B580034D9FDB20CF9AD884BDEFBF8EB48314F10845AE558A7600C379A944CFA5

Function 0306AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0306AF9E

Memory Dump Source

Source File: 00000016.00000002.1532452954.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_3060000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c5a56a6c8605f0596af1daf21a8b5a235d38899d9189479337d416ee1b627298
Instruction ID: f00601847bd2c3ca675f6db1233fa1bb8f40aa016ff4838c1c1f5e5195448854
Opcode Fuzzy Hash: c5a56a6c8605f0596af1daf21a8b5a235d38899d9189479337d416ee1b627298
Instruction Fuzzy Hash: C8110FB6D013498FCB20DF9AD444ADEFBF8EF88214F14841AD818B7610C3B9A545CFA1

Function 05CA86A0 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

0,Wq, xrefs: 05CA8702

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID: 0,Wq
API String ID: 0-851448320
Opcode ID: fb954ed55ac23cec7d302c6401eaccd836a9be314a89660a13a8738582f592c5
Instruction ID: fb026e59fa468e8bd845496a928244d33c32d604d8b66d6ad663638ccbf00938
Opcode Fuzzy Hash: fb954ed55ac23cec7d302c6401eaccd836a9be314a89660a13a8738582f592c5
Instruction Fuzzy Hash: 10517135F106049BD704AF68D845AADBBB3FF89300F1588A9E8916B395CF31AD4A87D1

Function 05CA86B0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

0,Wq, xrefs: 05CA8702

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID: 0,Wq
API String ID: 0-851448320
Opcode ID: fd663f8cb43774f6dc98623f59ddf6bb0709ac0abc041c23a49d78580d31b494
Instruction ID: 5852aa8873b34bb0d6fe863c09b23bb0fcf056241a0b3222532eaefe7e2fb296
Opcode Fuzzy Hash: fd663f8cb43774f6dc98623f59ddf6bb0709ac0abc041c23a49d78580d31b494
Instruction Fuzzy Hash: 54516235F106149BD704AFA8D845AADBFB3FB89300F1584A9E8916B395CF31AD4A87C1

Function 05CA7BF8 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3793dfff380fee8cbd8eb48a8fc246c582dcab229dabde270b8fed07014f26
Instruction ID: 87995f612b634a98a1e880c84a4c4ff178baac0cc605a81d182eb23fcf4c600b
Opcode Fuzzy Hash: 0a3793dfff380fee8cbd8eb48a8fc246c582dcab229dabde270b8fed07014f26
Instruction Fuzzy Hash: 92F11076A00119DFCB04CF68C984EADBBF6FF88315B1584A9E405AB362DB34ED41CB50

Function 05CAC63F Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a585532168a388dca23781ab5c5cb082bc62bfd2ffd87c9fae1082f43c1a22
Instruction ID: b354467c4e45b6f587f90542cf985546384888587b1db634e6bb94a3aea4b00e
Opcode Fuzzy Hash: 72a585532168a388dca23781ab5c5cb082bc62bfd2ffd87c9fae1082f43c1a22
Instruction Fuzzy Hash: E651E275F0460ADFEB04DBAAC4407BEBFB2BB84215F108926F556E7380CB349D428B91

Function 05CA71B0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa091b120ed361b654143f348d7f884dd3284690267d733d8f5f5a26fc682c8
Instruction ID: 9462a711e26c9b736084eb6d37001a5d64f8da01e0c0f72b060276009a0d4b1f
Opcode Fuzzy Hash: dfa091b120ed361b654143f348d7f884dd3284690267d733d8f5f5a26fc682c8
Instruction Fuzzy Hash: CA617D71E0074ACFDB15CFA9C540AADBFF2FF89304F259A19E855AB241D770AA41CB50

Function 05CA8D74 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba4315261e01bc06729fd076a1f74476f425ddee97c54beb3b298aa8e24006b
Instruction ID: 53a214c5074d96b1c67c2f39d47eefac0e09f63afb19815c2169f6c301eb0f4e
Opcode Fuzzy Hash: 0ba4315261e01bc06729fd076a1f74476f425ddee97c54beb3b298aa8e24006b
Instruction Fuzzy Hash: DC518035B006068FDB14DBB99848A7EBBF7EFC5224B14892AE415D7391EB30DD058BA1

Function 05CA71A0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7d85b1aa83dc4e4b8ffaa6354469c43057a127f4c48ef30758a63146544fc2
Instruction ID: e353ba16d690b184bcea2cb0778e066a87057e75f470d9d9f47e24cb91ed57b6
Opcode Fuzzy Hash: 1f7d85b1aa83dc4e4b8ffaa6354469c43057a127f4c48ef30758a63146544fc2
Instruction Fuzzy Hash: F2516C71E0574ADFCB15CFA5C140AADBFF2FF89304F259A19E845AB241E370AA81CB50

Function 05CA6383 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9266d441d4056b4fed84e955e5a20ba95b8209c9ed3870315b8b131ca1a1d18
Instruction ID: c4c4abd60050ee5eaf0b746d21462ebf652f9e7c22a7285f0fc41aa46669be5f
Opcode Fuzzy Hash: d9266d441d4056b4fed84e955e5a20ba95b8209c9ed3870315b8b131ca1a1d18
Instruction Fuzzy Hash: 1E419132E0424ADFCF11CFA4C845AADBFB2FF45314F088865E906AB291D731E995DB90

Function 05CA78D8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675e63cd422d5e41bbdbeb0f9d77860a93ebf53b79e701f54f06262db392d635
Instruction ID: 7208de477c1fddfd298c9baff0cd4273159151e86630fd892ab06acbcffce3ae
Opcode Fuzzy Hash: 675e63cd422d5e41bbdbeb0f9d77860a93ebf53b79e701f54f06262db392d635
Instruction Fuzzy Hash: 6841C236B002049FDB14AB69D859A6E7FF7FBC8220F14446AE506D7390CE35AD02CBA4

Function 05CA88D6 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0173c29a85c431e40dfe98af41019aa9ba4cd9d73a8e068bb191bcc6f425c4d5
Instruction ID: c5573dcc2c6fd25d6d6518712b827e77c977f1ce478447ed6118c550884d11a2
Opcode Fuzzy Hash: 0173c29a85c431e40dfe98af41019aa9ba4cd9d73a8e068bb191bcc6f425c4d5
Instruction Fuzzy Hash: DB31F6327083804FD701977598193697FF2EB86215F0988ABE586CB3D2CD388C06C762

Function 05CAB834 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0170d346bde534ec4c8e6a1b6866c5bff662212c54442bee8f14779dd613e7
Instruction ID: cac3d8cd103791068836b7b327a2a3a61e5072060b88fffbbc8b9ebb6ada84fe
Opcode Fuzzy Hash: af0170d346bde534ec4c8e6a1b6866c5bff662212c54442bee8f14779dd613e7
Instruction Fuzzy Hash: 493159769002099FCB14CFAAD845A9EBFF9EB48314F14842AE809E7310D779A944CFA0

Function 05CAD5A8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf6c6a4232b630b992c3a25ccf674a9c6b0a67367bffd14c9e545f0023ab3bd
Instruction ID: 96443ac2e1c8bca62728d88ad517d28aab8c968606c1b5af93638247741c558f
Opcode Fuzzy Hash: cdf6c6a4232b630b992c3a25ccf674a9c6b0a67367bffd14c9e545f0023ab3bd
Instruction Fuzzy Hash: BF31D07590565A8FC714CF6AC4446BEBFF2BB81209F14896BD0EB97A41C734D941CB22

Function 05CA8CF4 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24695159d57b9f26249aa186d8e0ff1efdaef318ac2181711362979afa8572e7
Instruction ID: 3f9c15bd45b2f67be46082fa9e514b1028690d459251d7c9c5713242685dd755
Opcode Fuzzy Hash: 24695159d57b9f26249aa186d8e0ff1efdaef318ac2181711362979afa8572e7
Instruction Fuzzy Hash: D221781680F7C68FD317976848A86C07F72AD1325871A09EBC1D98F963D11C884AC3A3

Function 05CA8918 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f29169701d892da701cd4ea3edd1af8e648092eba7a6e645c924da07ec1bc4
Instruction ID: 76524cd3198a749618ce65262c4281e0b8f5079c5c361638bd8bc495af223d8d
Opcode Fuzzy Hash: d7f29169701d892da701cd4ea3edd1af8e648092eba7a6e645c924da07ec1bc4
Instruction Fuzzy Hash: 4721F132B143018FD7149BB9981972E3EE6EB89219F14897AF907C7781DE35CC02C792

Function 05CA7BE8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517388e10596b0248ac33bef1674c50088c5dab12da278fac976c611b4171f72
Instruction ID: c1fbc9bfb920fd93e0a47d35ae32c2023014c329f12b69d30e3036c375858f13
Opcode Fuzzy Hash: 517388e10596b0248ac33bef1674c50088c5dab12da278fac976c611b4171f72
Instruction Fuzzy Hash: 1D317571A006168FDB04DF68C8889AEBBF6FF84318B258559E416973A5CB34ED42CB94

Function 02DED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1531542965.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2ded000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d24d3ce6282b1d37ad52e01e6e22d7ff3f1ec9d9793221b031397b70845b166
Instruction ID: dfd8dfb1a33e21de3ed5ffaf1bde5ce886a51c6f713b0220ff7f282f47ca742b
Opcode Fuzzy Hash: 7d24d3ce6282b1d37ad52e01e6e22d7ff3f1ec9d9793221b031397b70845b166
Instruction Fuzzy Hash: 5021D071604304DFDF24EF14D980B16BB6AEB84314F38C569E84A4B396CB3AD847CA62

Function 02DED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1531542965.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2ded000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dedd55e35734570a8257e3d5efb5e6d6f780221008775ae615f1606ed7775cc
Instruction ID: 72a2cbc258f34e570d4f0116a9a1e6508d84370a50613ae4ff5b31d658e8ae47
Opcode Fuzzy Hash: 9dedd55e35734570a8257e3d5efb5e6d6f780221008775ae615f1606ed7775cc
Instruction Fuzzy Hash: 2021F575504304EFDF15EF50D5C0B15BB6AFB84314F20C56DD84A4B392C736D846CA61

Function 05CA98C0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6ca4ca6dc1e8ff2c7fcf2d033687cbb97032af97c8310ba27e4d2808d33f48
Instruction ID: 1c4c13be5a45a36c585001d167f44e4613390a91c75d6ca46e0b56f76917e185
Opcode Fuzzy Hash: 4a6ca4ca6dc1e8ff2c7fcf2d033687cbb97032af97c8310ba27e4d2808d33f48
Instruction Fuzzy Hash: 9121D531B04205DFD714DA7A9859B2A7EB7EBC8215F50486ED60BD7385DE30CD054792

Function 05CA98B1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b24be7ec3533c1917d5ea70acae8607f21131dac2b8fe50a1eb2324f68e06a
Instruction ID: e3b028f2024b2b3092aab6c7a168b5f940baf0e938e12b8fed5848ef06bfa04c
Opcode Fuzzy Hash: 29b24be7ec3533c1917d5ea70acae8607f21131dac2b8fe50a1eb2324f68e06a
Instruction Fuzzy Hash: 68112432B04301EFD714CA7A984AB2A7EB7EBC8205F50486EE60AD7285DE30CD058792

Function 05CAA4C6 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15af99027f5c4eb1834ece2fb195f15107738f260ee670bec1f19a09bbfbb2e
Instruction ID: 1606079bb7245b879f8a23f43897875d5fdff58eb75c641cea3791675bea13f8
Opcode Fuzzy Hash: a15af99027f5c4eb1834ece2fb195f15107738f260ee670bec1f19a09bbfbb2e
Instruction Fuzzy Hash: 6631DFB1C01258DFDB20CFAAC988B9EBFF5AB48314F24885AE405BB250C7B99945CF55

Function 05CAA4D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8a832561e4e329a5e942c19f16300d624ccfe9f5c087ff357d5b551fc15947
Instruction ID: 90ef5a5abfd7798b22421ca574a4cd1cc387cd1d194c395292d10b8bb6902b0d
Opcode Fuzzy Hash: 1f8a832561e4e329a5e942c19f16300d624ccfe9f5c087ff357d5b551fc15947
Instruction Fuzzy Hash: 2121A0B1D01219DFDB20CF9AC988B8EBFB5AB48314F24845AE404BB250C7B99945CBA5

Function 02DED005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1531542965.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2ded000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 631bdf5d6d931a1e2fee671264b5781f3fa264e00dcc0ef25b567c2fe9713e88
Instruction ID: f18704a4d3e5d144b8f01e00b0f9ed2bee9214e1e36c83a0e2ca9d5c5fe987fa
Opcode Fuzzy Hash: 631bdf5d6d931a1e2fee671264b5781f3fa264e00dcc0ef25b567c2fe9713e88
Instruction Fuzzy Hash: 022184755093C08FCB12DF24D594715BF72EF46214F28C5EAD8498F6A7C33A980ACB62

Function 05CAD3CA Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f28c009c290d1aadc584dd2d6fc5d3790c2c517e4f2c7935fc04e53c529b3d
Instruction ID: 1e9d40ab322c1fe5a4775f57f81a380e4c37faa5ebe68828a02937cc20de8c81
Opcode Fuzzy Hash: 60f28c009c290d1aadc584dd2d6fc5d3790c2c517e4f2c7935fc04e53c529b3d
Instruction Fuzzy Hash: 6111BB72A06117CBC7148FAED8812BABAF1FF44209F40093AA617EAA80D634A950C795

Function 05CAA310 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853c8a8b16bdf60465ad447080eb21139157caf42a3abf12c36aed038b810c03
Instruction ID: 6cc37a43d9fd2323a08fb21bf45d9d3bb16c513cf3bca8fd1b09d50b84fc822d
Opcode Fuzzy Hash: 853c8a8b16bdf60465ad447080eb21139157caf42a3abf12c36aed038b810c03
Instruction Fuzzy Hash: C111C276A006164BCB10DABA8C44ABFBBFBFBC4264B18892DE415D7340EF30DD058B60

Function 05CA78CA Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b150670a65add73a483f6d698c9344a7a60b4f8d3ac0fef9618d5226a4d9a940
Instruction ID: 18e301e31c6cee89783cfca559582d77abd54c2c901ecebba945e93716328c61
Opcode Fuzzy Hash: b150670a65add73a483f6d698c9344a7a60b4f8d3ac0fef9618d5226a4d9a940
Instruction Fuzzy Hash: 25114F36B112059FCB14DF64D846B9DBFF6FB8C215F14446AE916A7350CA31AD11CBA0

Function 05CAA240 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eff3e632270f3ddb0051330eeee769a4abeaa27ec7fc66d579c6fddf0ae815d
Instruction ID: 683ae52c4b59c78dc5cd747a9fa88c2842b255afdf6c6a391670c4c75fd24e0f
Opcode Fuzzy Hash: 1eff3e632270f3ddb0051330eeee769a4abeaa27ec7fc66d579c6fddf0ae815d
Instruction Fuzzy Hash: 05111F32F0021A8BCB54EBA9D8105FEBBF6BB88314B504579C515E7244EB368E52CB91

Function 05CAB844 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c172cbaca75f726c7363bd96da4d41ec590d7579bc9bb2e9052d0e9f48ecb450
Instruction ID: a433b02f5f9605f69173f231ec32b9b6954f35ac07ca94b440faa7502067295e
Opcode Fuzzy Hash: c172cbaca75f726c7363bd96da4d41ec590d7579bc9bb2e9052d0e9f48ecb450
Instruction Fuzzy Hash: 0D2100B6C003499FCB20CF9AD884ADEBFF4FB48314F10841AE919A7210C779A944CFA5

Function 05CAD4D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568f739f5798c2da35488a07e06676d6d4ac5dc49602e3ba6ae324e0cbb1a528
Instruction ID: de1dfb4906278d3d1cb063ac3e6a286707b00fb0876466b436ceedf6d0362f21
Opcode Fuzzy Hash: 568f739f5798c2da35488a07e06676d6d4ac5dc49602e3ba6ae324e0cbb1a528
Instruction Fuzzy Hash: 70014532B40201DFE7248A2ACC05F6ABBA3FBC5708F118839F1078FA95CEB1D8418791

Function 02DED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1531542965.0000000002DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2ded000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction ID: fbff3b8d09f47929a22220a4b84dcac2b5cf847f876bbb792749f4e462710587
Opcode Fuzzy Hash: 6f5963e13be94118601ce8c0c816b14e795ac28cdb338ecf6f134e886058e23b
Instruction Fuzzy Hash: 9C118B75504280DFCF15DF50D6C4B15BBA2FB84318F24C6AAD84A4B796C33AD84ACB61

Function 05CAD3EF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea90f293afb165def3444c54859b113105810b655867fd5d9a4e4d68ae62048
Instruction ID: a73f46b075926127e9d67b253eb17616e7e17ed5ad1a63e346fb4a897c66730c
Opcode Fuzzy Hash: 7ea90f293afb165def3444c54859b113105810b655867fd5d9a4e4d68ae62048
Instruction Fuzzy Hash: 2601CC76A06417CBC7148FAED4803BDFAB2FF44309F004922E617EAAC1DB30AA51C795

Function 05CA8469 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65f6f08c916767fca11a0ce474f9d495bea26ad5d812221a0de4d13349eea4f
Instruction ID: 9425c2222d43fd7fd7d62e2d86dafa5c0afede7937abab259fbc4cd3cb6ca500
Opcode Fuzzy Hash: f65f6f08c916767fca11a0ce474f9d495bea26ad5d812221a0de4d13349eea4f
Instruction Fuzzy Hash: 03111B70D0060CDFEB44EFA4C94279EBBF2EB48200F5085A9C115E7350EB359E469F81

Function 05CA6221 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71a88ec1c9a6dc922288d6ae09dfe3bebcb3c5ae6d06d8d7617a741762f23b0
Instruction ID: d7e9bb3114942ce79578a0fdb7e556d11c8626cf68fbf461a1221b904d4c4fef
Opcode Fuzzy Hash: d71a88ec1c9a6dc922288d6ae09dfe3bebcb3c5ae6d06d8d7617a741762f23b0
Instruction Fuzzy Hash: 85011772A001199BCF09DF99D8458DDBBF9FF88310B04852AE90AEB254D731A919CB90

Function 02DDD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1531418289.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2ddd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed1fd6a7f937dd9c39c802b31c87bd838de5103e63d7faadff6b1b7e0973e06
Instruction ID: 5c25c7f8200548307c0feb79c609851be303565b34abf8870712941d7a5f8a1a
Opcode Fuzzy Hash: 4ed1fd6a7f937dd9c39c802b31c87bd838de5103e63d7faadff6b1b7e0973e06
Instruction Fuzzy Hash: 7D01A732504744BEEB204A55CD84B66BBA9DF41224F18859AED4A4A786C7799C40CA72

Function 05CA8478 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a13c58886497dc49c928e43efcd13ed05fade87e79b8c0d1b09c548a23da14
Instruction ID: 56a079b56436efe5c95b80097014a29d0324d3b0d6debbca99abfe0ddf898ba1
Opcode Fuzzy Hash: 91a13c58886497dc49c928e43efcd13ed05fade87e79b8c0d1b09c548a23da14
Instruction Fuzzy Hash: B101E570D0020DEFEB44EFA4C551A9EBBB6FB48200F5085AAC515EB350EB355E469F81

Function 05CA6F48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c648dd131bce353739a3a11c065d067d76ee04694f9ca9acd35f821319d2e9
Instruction ID: a6b6399d67dcf2e215a6f308081b0ee146945984bc2bfda1bf0509ea136278e7
Opcode Fuzzy Hash: f5c648dd131bce353739a3a11c065d067d76ee04694f9ca9acd35f821319d2e9
Instruction Fuzzy Hash: 58F0B47BF042165FCB28CE6DC844BBE3BAAEB88364F198876E026C7350D935DD808751

Function 05CAA884 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474864727a33e23236c9725b9da59d47ba9eb8cedce1f2fb462332f74c98dcb8
Instruction ID: 3efaae8edfe4b3e207dfb59a9dcef86b67f47e10ab706417fea64ea5e9f5bd2c
Opcode Fuzzy Hash: 474864727a33e23236c9725b9da59d47ba9eb8cedce1f2fb462332f74c98dcb8
Instruction Fuzzy Hash: E3012171C0421ADFDB14CF69C8443ED7FF1BF48314F148A29D425AA2A0D3744A85CF90

Function 02DDD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1531418289.0000000002DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2ddd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f490688ecf6ee3be418646e7ecd36f574b42ead543914e92bae906fd23b093f7
Instruction ID: 1564c846216442dca92e470b9526e0262686d2f9589f262d4424316e67145675
Opcode Fuzzy Hash: f490688ecf6ee3be418646e7ecd36f574b42ead543914e92bae906fd23b093f7
Instruction Fuzzy Hash: A0F0CD32404344AEEB208A06CC84B62FFA8EF41634F18C49AED090B386C379AC40CAB1

Function 05CAA278 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17489b4d7870b2e1e25f89e11b7dd34ad108eca4213017ee33820b527a4fabf
Instruction ID: 36204b74337a08732adc3956d65ac5999a946f7a2023426188254e6c7fa8f26d
Opcode Fuzzy Hash: b17489b4d7870b2e1e25f89e11b7dd34ad108eca4213017ee33820b527a4fabf
Instruction Fuzzy Hash: C2F0B437F0068A87DB25E7ACC8101FE7BB7ABC82547208525C406A7344FE26CD62CB91

Function 05CAA92A Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b76db64179589ad77bfe5b7c6bfc578ac08c7803488c944a7208e5dae9876e0
Instruction ID: 9745732cf941d74b5e88075c364a94a3753299eb939987acd6dbe15dc48a4349
Opcode Fuzzy Hash: 1b76db64179589ad77bfe5b7c6bfc578ac08c7803488c944a7208e5dae9876e0
Instruction Fuzzy Hash: EBF030767042186F93049A6EDC84D6BBBEEEBCC671755817AF50DD7310D9319C0186B0

Function 05CAA890 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2b72f6a30bf721a9435cea23da5c9b87d0255f563594ae58fab2b15245dd99
Instruction ID: fcc7e5dbdfe003a8367e7ead218231a6cac1c78c9b57f22e03d26f8ec6258301
Opcode Fuzzy Hash: 9d2b72f6a30bf721a9435cea23da5c9b87d0255f563594ae58fab2b15245dd99
Instruction Fuzzy Hash: 9A01FB71C0021ADFEB14CF6AC8083AEBEF1BF48354F10CA25E425AA290D7744A81CFD0

Function 05CA90B8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23fb4992a131bc43c5c704a03bcdd433120ee5299e4ffd5cb4b343d95c099aa
Instruction ID: 7df69051d32f20afce5e95eba2f8c2bcc43d2e0851b5ca3cee722de79577488b
Opcode Fuzzy Hash: c23fb4992a131bc43c5c704a03bcdd433120ee5299e4ffd5cb4b343d95c099aa
Instruction Fuzzy Hash: 7BF0EC73609209AFD701DA6CCD45E6A7FA5EF5560CB104C95E4098B101D9319D009656

Function 05CABCD8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d952ba58157a132190f5c1343c9772dbad0486b34021c96537463f8d26786d2
Instruction ID: 4135aa39078fdd0f0d14d63318e5bbf60d35dfd7ea4693dc7ca8a150d9c1ac39
Opcode Fuzzy Hash: 5d952ba58157a132190f5c1343c9772dbad0486b34021c96537463f8d26786d2
Instruction Fuzzy Hash: 06F0A773A041496FDF05CFA8D94599E7FBAEF04218B0980ABE445E7371E6319E54C750

Function 05CABC78 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112f7aff6f99370a1b2871c7e2fbe7a7386049a9aea79362bbadf799aef22dbe
Instruction ID: 87b04119f7a19e3bd151eb1e18986c12dffdb30493b461ddb4910d6fd58ad9c2
Opcode Fuzzy Hash: 112f7aff6f99370a1b2871c7e2fbe7a7386049a9aea79362bbadf799aef22dbe
Instruction Fuzzy Hash: ABF02772B4A3849FDB05CBB48C198AE7FF59F8210871548EBE806D7242E9308D09D322

Function 05CAA930 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ccd2aed0096100db788d9acffa3ef455991c8dc845d940833d6ce871109480
Instruction ID: 2d756e6954c441e36174bc64e57a71a4ece473ab925877348beb138a8de479d3
Opcode Fuzzy Hash: 20ccd2aed0096100db788d9acffa3ef455991c8dc845d940833d6ce871109480
Instruction Fuzzy Hash: 51E03972B042286FA3049A6AE884D6BBBEEEBCC670351807AF508C7310D931AC0086A0

Function 05CAD38A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3b9c7ca7b88ecf03051b6d812048f57d49a5613da1aadc26d79f65edef6ead
Instruction ID: 20eef307dcece8e81e7ba7d3caa50ec1256ac0299c6b8216caa3426965588088
Opcode Fuzzy Hash: 8d3b9c7ca7b88ecf03051b6d812048f57d49a5613da1aadc26d79f65edef6ead
Instruction Fuzzy Hash: 71D01291705A1EDFE7105A65841AB353CB7FB82654B9098B9D403EAB88CE7ACD028A12

Function 05CAF398 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81e8c18fbed0db158e39c9570233fed98ad29bbe398c62097b085a5f3fd9aa9
Instruction ID: 70f7178ae4d44bece684b0ef393013552142357def2d0996cbd86e3f0873df26
Opcode Fuzzy Hash: c81e8c18fbed0db158e39c9570233fed98ad29bbe398c62097b085a5f3fd9aa9
Instruction Fuzzy Hash: C3C04C7605674D8BD228AFA5A61CB247AB9E70121AF44141CD54E52463CBF1D850CA65

Function 05CAA208 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e336042d199c2c3996cfad34ef551ea3cc2684fd619d3c9705a0611b56c7b428
Instruction ID: 01a171ca852922b1378569e44fa44b156d07569b1e59be5d8cc0a87a149fe3d9
Opcode Fuzzy Hash: e336042d199c2c3996cfad34ef551ea3cc2684fd619d3c9705a0611b56c7b428
Instruction Fuzzy Hash: 2CC0027BA5A6C15EE7466F609829D82BF72BA6220C34990E2D0905B173D515882CE725

Function 05CA90C4 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ee5d744cb3e991202416803482875f0e5c2709e7cc8c98786a271cb4cda3f6
Instruction ID: 39297574e5660ed3e46c0b08ea977b8f912166a5dd61139f4089b2860073fdd5
Opcode Fuzzy Hash: 83ee5d744cb3e991202416803482875f0e5c2709e7cc8c98786a271cb4cda3f6
Instruction Fuzzy Hash: 64B01237265646B2E10462A849C5E1F5C21EFB2B0DBC08C05B389584008930DC2DE52F

Function 05CABCB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1543487138.0000000005CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_5ca0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e578579684357e8d3bd0724d182e4fda7278625cf498e068f7792d194105cfb
Instruction ID: 1960ad32f2fe329ef3bc902e67d477b489a0c234dd3468aa7b7abde275cae50f
Opcode Fuzzy Hash: 1e578579684357e8d3bd0724d182e4fda7278625cf498e068f7792d194105cfb
Instruction Fuzzy Hash: 75C08C121AB3C10EE302433408288862F30197320D3082083C28262063C004005CD23A

Analysis Process: ZUHFqcY.exePID: 6524, Parent PID: 7532COMMON

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	6

Executed Functions

Function 016DECA2 Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016DED2E
GetCurrentThread.KERNEL32 ref: 016DED6B
GetCurrentProcess.KERNEL32 ref: 016DEDA8
GetCurrentThreadId.KERNEL32 ref: 016DEE01

Memory Dump Source

Source File: 00000019.00000002.2555776130.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_16d0000_ZUHFqcY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aa605b22406cb77da711ec5c620a7055fc5a17e0d97e0df759207c0414b99f33
Instruction ID: 0dad45fe0a226c83ecf29128d2773b19e6d2cdba0585be646cbc9aac11f75988
Opcode Fuzzy Hash: aa605b22406cb77da711ec5c620a7055fc5a17e0d97e0df759207c0414b99f33
Instruction Fuzzy Hash: 365159B2D01749CFDB18CFAAC948B9EBBF1EF48304F248459D409AB350D7795944CB65

Function 016DECB0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016DED2E
GetCurrentThread.KERNEL32 ref: 016DED6B
GetCurrentProcess.KERNEL32 ref: 016DEDA8
GetCurrentThreadId.KERNEL32 ref: 016DEE01

Memory Dump Source

Source File: 00000019.00000002.2555776130.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_16d0000_ZUHFqcY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2df4585ef3707ef4e7c70b7fd6d08678e3761aad241a673fe97279843f7d95b2
Instruction ID: 16794121a13de0d00e0ed132ed5e4fa62837e105e34041a5c369166004f99acc
Opcode Fuzzy Hash: 2df4585ef3707ef4e7c70b7fd6d08678e3761aad241a673fe97279843f7d95b2
Instruction Fuzzy Hash: 2C5146B1D01749CFDB28CFAAD948B9EBBF1EF48304F208459D409AB360DB799944CB65

Function 06BBC120 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.2580966227.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6bb0000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1310da53810b603f1956c13d6dbe59a8bdfff6a834b0b5be0a673f5cc88e8e2
Instruction ID: 400df8e09d51b5ae57be7f1e906cd5942b09242378ca247c91982d20e6b740cc
Opcode Fuzzy Hash: f1310da53810b603f1956c13d6dbe59a8bdfff6a834b0b5be0a673f5cc88e8e2
Instruction Fuzzy Hash: 83412271D043598FDB14CFAAD8046EEBBF5EF89210F1585ABD444A7250DBB89841CBE0

Function 016D70B0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 016D712F

Memory Dump Source

Source File: 00000019.00000002.2555776130.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_16d0000_ZUHFqcY.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ddfad60e7dfbf86342a24160b214fa23db780b13840b09841020a1300238971c
Instruction ID: 2bdb1e7e92330eb4a5d8f6a499af4fc285238c80f63045c5753012ccf2febccf
Opcode Fuzzy Hash: ddfad60e7dfbf86342a24160b214fa23db780b13840b09841020a1300238971c
Instruction Fuzzy Hash: 95216672C002598FCB14CFAAD884BEEFBF4EF49214F14842AE848A7250D778A944CF61

Function 016D70B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 016D712F

Memory Dump Source

Source File: 00000019.00000002.2555776130.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_16d0000_ZUHFqcY.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: aafa393495ad22f08054a7feaa8ce8f57b7db3563ac7577b54223091dd04b5cc
Instruction ID: a196449750565c9df70c098a6f50803ef695aff0a8c0b61a442cd293dea3aa52
Opcode Fuzzy Hash: aafa393495ad22f08054a7feaa8ce8f57b7db3563ac7577b54223091dd04b5cc
Instruction Fuzzy Hash: 2B214871C002598FDB14CFAAD844BEEFBF5EF49214F14841AE858A3350D778A944CF61

Function 06BBC1F0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06BBC172), ref: 06BBC25F

Memory Dump Source

Source File: 00000019.00000002.2580966227.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6bb0000_ZUHFqcY.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 07fb8dee2680fdda15791b4a5e96ef56b39183006f8d949bf139d0be930528ac
Instruction ID: 8b444f67469bde88b976ba38743c041d57edd1dbdf64e51061b7b598756e1c09
Opcode Fuzzy Hash: 07fb8dee2680fdda15791b4a5e96ef56b39183006f8d949bf139d0be930528ac
Instruction Fuzzy Hash: 422145B1C042999FDB11CFAAC844BDEFFB4AF09210F1581AAD458A7252D378A944CFA1

Function 016DEEF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DEF7F

Memory Dump Source

Source File: 00000019.00000002.2555776130.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_16d0000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dc5217dd94b405bfcd196af43bc9240cf3496d69dd6d5622d74d4fae2668923d
Instruction ID: 57f2d57b5148962b8e3a124c15327ac5475b5559410d8da1cb772192c22b3d25
Opcode Fuzzy Hash: dc5217dd94b405bfcd196af43bc9240cf3496d69dd6d5622d74d4fae2668923d
Instruction Fuzzy Hash: 3921E2B5D002489FDB10CFAAD984ADEFFF5EB48310F14841AE918A7750D379A954CFA0

Function 016DEEF8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DEF7F

Memory Dump Source

Source File: 00000019.00000002.2555776130.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_16d0000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 092e9ad92c60b5ba852f13aec0b0550c1444c64e52baed62fc98f86b231d2fc6
Instruction ID: c8a784532e332411c4bbeb3cfb472ef5a79f5055cbf29bb7124b97d0791c80f3
Opcode Fuzzy Hash: 092e9ad92c60b5ba852f13aec0b0550c1444c64e52baed62fc98f86b231d2fc6
Instruction Fuzzy Hash: 8621C4B5D002489FDB10CFAAD984ADEFFF5EB48310F14841AE958A7350D379A944CFA5

Function 06BBB8F4 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06BBC172), ref: 06BBC25F

Memory Dump Source

Source File: 00000019.00000002.2580966227.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6bb0000_ZUHFqcY.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 62758c92d3fb8d0cdd6793003a3c779db723a905fd40b57d2cf41798262fe08e
Instruction ID: 0ea06f62486e662e9c18bbdb2d90af811fda4171686ef4ca0c1fc26fea3fbcea
Opcode Fuzzy Hash: 62758c92d3fb8d0cdd6793003a3c779db723a905fd40b57d2cf41798262fe08e
Instruction Fuzzy Hash: C21103B1C006599FDB10CF9AC444BEEFBF4EB48710F14816AE818B7640D7B8A940CFA5

Function 06CAD460 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06CAE38D

Memory Dump Source

Source File: 00000019.00000002.2581266139.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6ca0000_ZUHFqcY.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c78b1529cbd03819ac38d289797ca7a48f822bf0d0b2249d26144b8ea36efa45
Instruction ID: ba63fe5d7f2d5db6ec3690851ed69af823c586ba44b21ce86b775e6ac67add5d
Opcode Fuzzy Hash: c78b1529cbd03819ac38d289797ca7a48f822bf0d0b2249d26144b8ea36efa45
Instruction Fuzzy Hash: 2F1100B58007498FDB20DF9AD448BDEFBF4EB48224F20845AD558A7650C379A944CFA5

Function 06CAE330 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06CAE38D

Memory Dump Source

Source File: 00000019.00000002.2581266139.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_6ca0000_ZUHFqcY.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d67152a80f453adc2ca43beb067dedf68c7a8100290990f96469bbd55a1d0c40
Instruction ID: 51350ca44d4709fbfc6f424419bfcebaa84bfdfc1bed6d78c6277c8dd1b40b5c
Opcode Fuzzy Hash: d67152a80f453adc2ca43beb067dedf68c7a8100290990f96469bbd55a1d0c40
Instruction Fuzzy Hash: 911100B58003499FDB20DFAAD444BDEFBF4EB48324F20841AD559A7610C379A944CFA5

Function 0144D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2552923631.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_144d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb298ac7de53c1b27baaad9db3888e1fda73456e4843f623a516cf3eb95711f
Instruction ID: 885e5b6c89964010a592b211a6be73abb70fe7e7c7703e4d2bdcfc50508768ee
Opcode Fuzzy Hash: eeb298ac7de53c1b27baaad9db3888e1fda73456e4843f623a516cf3eb95711f
Instruction Fuzzy Hash: E03159715093C49FDB13CF64D994711BF71AB46214F29C5DBD9898F2A3C23A980ACB62

Function 0144D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.2552923631.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_144d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad7a9fbbb1a09437095574ef3bc157c0735b64722f8abd11b58701ad42c9f39
Instruction ID: 17b17f14473f1418efa5c53d46064d5dbe8d5cf77d84649c0a8b11841c773e35
Opcode Fuzzy Hash: aad7a9fbbb1a09437095574ef3bc157c0735b64722f8abd11b58701ad42c9f39
Instruction Fuzzy Hash: 5321F5B1904304DFEB15DF94D9C0B16BBA5EB94318F24C56ED90A4B362C33AD447CA62

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Cotizaci#U00f3n P13000996 pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cotizaci#U00f3n P13000996 pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZUHFqcY.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jHJQWf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ql0yhw0.mse.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_531jyh3d.4q5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibn1lnad.xeo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idtda2ui.n3g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kn5xsb0o.vk4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nv0n1m2g.uw5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qfta0r4n.2x4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zizfyhcx.uwi.ps1

Windows Analysis Report
Cotizaci#U00f3n P13000996 pdf.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre