Edit tour

Windows Analysis Report
nuevo orden.exe

Overview

General Information

Sample name:	nuevo orden.exe
Analysis ID:	1555015
MD5:	1af621550628ee8ace6ea7c6afefb0fe
SHA1:	0c06b92be85b5810e75709b307ef28df4a5623bb
SHA256:	d097aece3afaf2eeafce3fea88dc99e98ef31465bb9216fbc4bbc0c649dea94c
Tags:	AgentTeslaexeuser-lowmal3
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

nuevo orden.exe (PID: 5172 cmdline: "C:\Users\user\Desktop\nuevo orden.exe" MD5: 1AF621550628EE8ACE6EA7C6AFEFB0FE)

powershell.exe (PID: 1444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nuevo orden.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\nuevo orden.exe" MD5: 1AF621550628EE8ACE6EA7C6AFEFB0FE)

ZUHFqcY.exe (PID: 356 cmdline: "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe" MD5: 1AF621550628EE8ACE6EA7C6AFEFB0FE)

ZUHFqcY.exe (PID: 5268 cmdline: "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe" MD5: 1AF621550628EE8ACE6EA7C6AFEFB0FE)

ZUHFqcY.exe (PID: 1280 cmdline: "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe" MD5: 1AF621550628EE8ACE6EA7C6AFEFB0FE)

ZUHFqcY.exe (PID: 5344 cmdline: "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe" MD5: 1AF621550628EE8ACE6EA7C6AFEFB0FE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "eric.zhang@longpowartech.com", "Password": "    w#chNV#1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.3421195838.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3422052551.0000000002C47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3422052551.0000000002C36000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3422052551.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3421733340.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.3421195838.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3421733340.0000000002F37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.3421195838.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3421195838.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3421733340.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3421733340.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: nuevo orden.exe PID: 5172	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nuevo orden.exe PID: 5172	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: nuevo orden.exe PID: 5172	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: nuevo orden.exe PID: 6256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nuevo orden.exe PID: 6256	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 356	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 5268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 5268	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 5344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ZUHFqcY.exe PID: 5344	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.nuevo orden.exe.3c07e70.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nuevo orden.exe.3c07e70.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.nuevo orden.exe.3c07e70.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32542:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x325b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3263e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x326d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3273a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x327ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32842:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x328d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.nuevo orden.exe.3bcc450.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nuevo orden.exe.3bcc450.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.nuevo orden.exe.3bcc450.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32542:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x325b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3263e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x326d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3273a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x327ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32842:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x328d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.nuevo orden.exe.3c07e70.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nuevo orden.exe.3c07e70.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.nuevo orden.exe.3c07e70.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.nuevo orden.exe.3c07e70.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x346d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.nuevo orden.exe.3bcc450.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.nuevo orden.exe.3bcc450.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.nuevo orden.exe.3bcc450.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.nuevo orden.exe.3bcc450.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34342:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6fd62:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x343b4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fdd4:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3443e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6fe5e:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x344d0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fef0:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3453a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ff5a:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x345ac:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ffcc:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34642:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x70062:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x346d2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x700f2:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nuevo orden.exe", ParentImage: C:\Users\user\Desktop\nuevo orden.exe, ParentProcessId: 5172, ParentProcessName: nuevo orden.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe", ProcessId: 1444, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\nuevo orden.exe, ProcessId: 6256, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZUHFqcY

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\nuevo orden.exe, Initiated: true, ProcessId: 6256, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\nuevo orden.exe", ParentImage: C:\Users\user\Desktop\nuevo orden.exe, ParentProcessId: 5172, ParentProcessName: nuevo orden.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe", ProcessId: 1444, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T10:27:24.083031+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.6	49785	TCP
2024-11-13T10:28:02.316167+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.6	49993	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "eric.zhang@longpowartech.com", "Password": " w#chNV#1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: nuevo orden.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nuevo orden.exe

Joe Sandbox ML: detected

Source: nuevo orden.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nuevo orden.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: BXjh.pdb source: nuevo orden.exe, ZUHFqcY.exe.5.dr
Source:	Binary string: BXjh.pdbSHA256 source: nuevo orden.exe, ZUHFqcY.exe.5.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.nuevo orden.exe.3c07e70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49715 -> 208.91.199.224:587

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49993
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49785

Source: global traffic

TCP traffic: 192.168.2.6:49715 -> 208.91.199.224:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: nuevo orden.exe, 00000005.00000002.3417276138.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3417276138.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3440664568.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3418014149.0000000001326000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440121979.00000000062F0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: nuevo orden.exe, 00000005.00000002.3417276138.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3440988711.0000000006205000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440121979.00000000062F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: nuevo orden.exe, 00000005.00000002.3417276138.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3417276138.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3440664568.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3418014149.0000000001326000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: nuevo orden.exe, 00000005.00000002.3421733340.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: nuevo orden.exe, 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3417276138.0000000001157000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3418014149.00000000012A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: ZUHFqcY.exe, 0000000A.00000002.3418014149.00000000012A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingJ
Source: nuevo orden.exe, 00000005.00000002.3417276138.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3417276138.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3440664568.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3418014149.0000000001326000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440121979.00000000062F0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: nuevo orden.exe, 00000005.00000002.3417276138.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3417276138.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3440664568.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3418014149.0000000001326000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: nuevo orden.exe, 00000000.00000002.2196528166.0000000002A0B000.00000004.00000800.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000006.00000002.2319147071.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000009.00000002.2396410946.000000000269E000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: nuevo orden.exe, ZUHFqcY.exe.5.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: nuevo orden.exe, 00000005.00000002.3421733340.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: nuevo orden.exe, 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: nuevo orden.exe, 00000005.00000002.3417276138.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3417276138.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3440664568.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3418014149.0000000001326000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, X3fxBL.cs	.Net Code: UdKYqv
Source: 0.2.nuevo orden.exe.3c07e70.2.raw.unpack, X3fxBL.cs	.Net Code: UdKYqv

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.nuevo orden.exe.3c07e70.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.nuevo orden.exe.3bcc450.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.nuevo orden.exe.3c07e70.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_0281CFA4	0_2_0281CFA4
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F2C5E0	0_2_06F2C5E0
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F2C5DA	0_2_06F2C5DA
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F23560	0_2_06F23560
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F23550	0_2_06F23550
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F2E3E0	0_2_06F2E3E0
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F2E3DA	0_2_06F2E3DA
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F203A8	0_2_06F203A8
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F20398	0_2_06F20398
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F2C1A8	0_2_06F2C1A8
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F2BD70	0_2_06F2BD70
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F2CA18	0_2_06F2CA18
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_07891E68	0_2_07891E68
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_07890040	0_2_07890040
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_07890007	0_2_07890007
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_01114AD0	5_2_01114AD0
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_01113EB8	5_2_01113EB8
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_01114200	5_2_01114200
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_06A6B4D8	5_2_06A6B4D8
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_06A63478	5_2_06A63478
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_06A60566	5_2_06A60566
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_06A6F3C0	5_2_06A6F3C0
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_06A68CF0	5_2_06A68CF0
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_06A69D48	5_2_06A69D48
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_06A66BB8	5_2_06A66BB8
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_06A69433	5_2_06A69433
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_06A6ADF8	5_2_06A6ADF8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_00F62438	6_2_00F62438
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_00F6CFA4	6_2_00F6CFA4
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_00F67BC3	6_2_00F67BC3
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_06E90040	6_2_06E90040
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_06E91E68	6_2_06E91E68
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_06E9003B	6_2_06E9003B
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073D3560	6_2_073D3560
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073D3550	6_2_073D3550
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DC5E0	6_2_073DC5E0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DC5DA	6_2_073DC5DA
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073D03A8	6_2_073D03A8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073D0398	6_2_073D0398
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DE3E0	6_2_073DE3E0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DE3DB	6_2_073DE3DB
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DC1A8	6_2_073DC1A8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DBD70	6_2_073DBD70
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DCA18	6_2_073DCA18
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_00F94AD0	7_2_00F94AD0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_00F9CA38	7_2_00F9CA38
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_00F93EB8	7_2_00F93EB8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_00F94200	7_2_00F94200
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_06673478	7_2_06673478
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_0667B4D8	7_2_0667B4D8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_0667F3C0	7_2_0667F3C0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_06670040	7_2_06670040
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_06678CF0	7_2_06678CF0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_06679D48	7_2_06679D48
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_06676BB8	7_2_06676BB8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_06679448	7_2_06679448
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 7_2_0667ADF8	7_2_0667ADF8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_0099CFA4	9_2_0099CFA4
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_06C31E58	9_2_06C31E58
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_06C30040	9_2_06C30040
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_06C30023	9_2_06C30023
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_07093550	9_2_07093550
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_07093560	9_2_07093560
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_0709C5D2	9_2_0709C5D2
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_0709C5E0	9_2_0709C5E0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_07090398	9_2_07090398
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_070903A8	9_2_070903A8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_0709E3D9	9_2_0709E3D9
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_0709E3E0	9_2_0709E3E0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_0709C1A8	9_2_0709C1A8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_0709BD70	9_2_0709BD70
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_0709CA18	9_2_0709CA18
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_011F4AD0	10_2_011F4AD0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_011F3EB8	10_2_011F3EB8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_011F4200	10_2_011F4200
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06959631	10_2_06959631
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_0695E578	10_2_0695E578
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06955078	10_2_06955078
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06A2B4D8	10_2_06A2B4D8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06A23478	10_2_06A23478
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06A29D48	10_2_06A29D48
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06A26BB8	10_2_06A26BB8
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06A2F3C0	10_2_06A2F3C0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06A20040	10_2_06A20040
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06A28CF0	10_2_06A28CF0
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06A29433	10_2_06A29433
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_06A2ADF8	10_2_06A2ADF8

Source: nuevo orden.exe, 00000000.00000002.2200644804.0000000005470000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs nuevo orden.exe
Source: nuevo orden.exe, 00000000.00000002.2188278997.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nuevo orden.exe
Source: nuevo orden.exe, 00000000.00000002.2196528166.0000000002A12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename51fb4aff-95dd-4a93-9ab4-04a316570185.exe4 vs nuevo orden.exe
Source: nuevo orden.exe, 00000000.00000000.2173904671.000000000071E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBXjh.exe" vs nuevo orden.exe
Source: nuevo orden.exe, 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename51fb4aff-95dd-4a93-9ab4-04a316570185.exe4 vs nuevo orden.exe
Source: nuevo orden.exe, 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs nuevo orden.exe
Source: nuevo orden.exe, 00000000.00000002.2203066372.00000000078F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs nuevo orden.exe
Source: nuevo orden.exe, 00000005.00000002.3416019378.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs nuevo orden.exe
Source: nuevo orden.exe, 00000005.00000002.3415395729.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename51fb4aff-95dd-4a93-9ab4-04a316570185.exe4 vs nuevo orden.exe
Source: nuevo orden.exe	Binary or memory string: OriginalFilenameBXjh.exe" vs nuevo orden.exe

Source: nuevo orden.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.nuevo orden.exe.3c07e70.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.nuevo orden.exe.3bcc450.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.nuevo orden.exe.3c07e70.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: nuevo orden.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZUHFqcY.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, ojfoYn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, ojfoYn.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, nz576WY2fl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, nz576WY2fl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, nz576WY2fl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, nz576WY2fl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, fq6MquFPL9.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, fq6MquFPL9.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, jNAS4j9fQeCL43sUac.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, HR8leUGke1iYnYjYyR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, HR8leUGke1iYnYjYyR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, HR8leUGke1iYnYjYyR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, HR8leUGke1iYnYjYyR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, HR8leUGke1iYnYjYyR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, HR8leUGke1iYnYjYyR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, jNAS4j9fQeCL43sUac.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/9@2/2

Source: C:\Users\user\Desktop\nuevo orden.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nuevo orden.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gronkilf.uie.ps1

Jump to behavior

Source: nuevo orden.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nuevo orden.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\nuevo orden.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\nuevo orden.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\nuevo orden.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\nuevo orden.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nuevo orden.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\nuevo orden.exe

File read: C:\Users\user\Desktop\nuevo orden.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nuevo orden.exe "C:\Users\user\Desktop\nuevo orden.exe"
Source: C:\Users\user\Desktop\nuevo orden.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nuevo orden.exe	Process created: C:\Users\user\Desktop\nuevo orden.exe "C:\Users\user\Desktop\nuevo orden.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Source: C:\Users\user\Desktop\nuevo orden.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process created: C:\Users\user\Desktop\nuevo orden.exe "C:\Users\user\Desktop\nuevo orden.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\nuevo orden.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\nuevo orden.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\nuevo orden.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: nuevo orden.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: nuevo orden.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: nuevo orden.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: BXjh.pdb source: nuevo orden.exe, ZUHFqcY.exe.5.dr
Source:	Binary string: BXjh.pdbSHA256 source: nuevo orden.exe, ZUHFqcY.exe.5.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, HR8leUGke1iYnYjYyR.cs	.Net Code: addcjc6yOa System.Reflection.Assembly.Load(byte[])
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, HR8leUGke1iYnYjYyR.cs	.Net Code: addcjc6yOa System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_0281D4B0 pushfd ; ret	0_2_0281D4B1
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 0_2_06F27320 push esp; retf	0_2_06F27321
Source: C:\Users\user\Desktop\nuevo orden.exe	Code function: 5_2_0111CB44 pushad ; iretd	5_2_0111CEBD
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_00F6D4B0 pushfd ; ret	6_2_00F6D4B1
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_06E91E58 push esp; retn 0006h	6_2_06E91E5A
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DF279 push ss; retn 0006h	6_2_073DF27A
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DF240 push ss; retn 0006h	6_2_073DF242
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 6_2_073DF2C0 push ss; retn 0006h	6_2_073DF2C2
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_00995C88 pushad ; retn 0000h	9_2_00995C89
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_00999E41 pushfd ; retn 0000h	9_2_00999E42
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 9_2_07097320 push esp; retf	9_2_07097321
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_0695BF60 push es; ret	10_2_0695BF70
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_0695B934 push es; retf	10_2_0695B948
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_0695B94D push es; retf	10_2_0695B948
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Code function: 10_2_0695B949 push es; retf	10_2_0695B94C

Source: nuevo orden.exe	Static PE information: section name: .text entropy: 7.945028236511907
Source: ZUHFqcY.exe.5.dr	Static PE information: section name: .text entropy: 7.945028236511907

Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, nUVMUTwJNZb0qjIrXS.cs	High entropy of concatenated method names: 'SXgoL4rcAk', 'Qq2otgARNP', 'cLUowbKDBm', 'QlGoeFSCFI', 'kkdovAg1pd', 'idxolj0WpW', 'T3JoyqGeHj', 'YhsoHfvMHG', 'UdAog4Rg8f', 'GicobW7J6w'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, f8GXSI8dfcOXDYFeYq.cs	High entropy of concatenated method names: 'gsefS2Ipfw', 'bckfZnkSJd', 'uXKmaOlKYJ', 'nHim56GS9q', 'V7xf1q5sqT', 'XFgftXqMlb', 'YT0fQHvCuw', 'psofwNXUGr', 'ImnfeKRyOW', 'Dh5f4a8Uhk'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, aVCaA3d0t28yPseesH.cs	High entropy of concatenated method names: 'Dispose', 'cDH5WxNHKf', 'A9HpvqcUuH', 'Ppl79mdxgQ', 'VkO5ZvLNmX', 'SaZ5zPcllJ', 'ProcessDialogKey', 'omBpaG3nY4', 'aG6p5dMwpG', 'y1Opp0wdQp'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, YvGYe7QSIaOMfnsZd7.cs	High entropy of concatenated method names: 'xWkB9JKPKZ', 'gRvB0EL2Lr', 'UG4Bshbst5', 'meGBvlfebT', 'HOLBybMT8P', 'sujBHFcDts', 'NtTBb3VBTr', 'VICBuAARuw', 'DDbBLlkHCT', 'VPrB1mdk36'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, nG3nY4WaG6dMwpGE1O.cs	High entropy of concatenated method names: 'ne8rs8wymQ', 'iy0rvCPHxr', 'zdkrlCv9Bn', 'FqoryYjXer', 'Xd7rHiaxc6', 'HV5rgOCucM', 'kJ6rbayMZ1', 'rScruqfhg2', 'A9vrKTKXrw', 'ueurLdiyIn'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, Sn3ea7bCGZDnbqhIeB.cs	High entropy of concatenated method names: 'WK1XJa8Ayn', 'dSUXIwYoLS', 'yWoXORobS7', 'K0WOZWjrjZ', 'hD2OzWFaMH', 'NNnXah9ILP', 'wItX5pi3DQ', 'qv5Xpt2XPA', 'M85XVqNbSv', 'oFXXcJhf2Q'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, gwUc6n5aqAXhZTNg0YF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tdp71tij87', 'Dqg7t9PI7f', 'veZ7QHjcg2', 'NYI7w2QcxK', 'hqY7ex1Umf', 'BS974sUTcE', 'hBA7RpvEft'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, jNAS4j9fQeCL43sUac.cs	High entropy of concatenated method names: 'hvjdw089V1', 'jyEdeLmewR', 'DXyd498Ht8', 'HJAdROOjiw', 'TYdd3Um2PQ', 'f0ld8NECLy', 'M7rdAilwoQ', 'GcXdSPqap7', 'zvcdWqGcK0', 'TMEdZZXfus'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, eSXgHXcJKytyOiMBEX.cs	High entropy of concatenated method names: 'UrX5XNAS4j', 'qQe5GCL43s', 'L475YQqRNi', 'CTp5FY2KAQ', 'kNH5o3eYpM', 'yGK5TqoCco', 'NnRwJaJRUDOwFK9IYZ', 'w7NN8ZhXn1qbwd4aLE', 'OXK55iJ7s0', 'p6I5VbPHGu'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, xR9B3jzrW6xI5Sipho.cs	High entropy of concatenated method names: 'gZM76B5Ds8', 'YLm794PitH', 'Gku70pO18a', 'hgg7swNnrg', 'v1C7v5gHfw', 'Hck7ys0yxM', 'mGJ7HGqDa0', 'GPH7hFAnrp', 'Db37MD7kPL', 'L7M7EwEEK5'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, hKAQbOnUNmjciGNH3e.cs	High entropy of concatenated method names: 'Mhl2CQbhIU', 'oEm2qjnfGh', 'WM7IlMXkLr', 'jW9IyST8wl', 'HFLIH4L3NX', 'GKEIgo0P7k', 'eQ8Ib4Wrkj', 'nQPIuGR7Ln', 'r6kIKTCh2Z', 'J7HILoAJgU'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, K7jmrZRRQcgZ5pqb1D.cs	High entropy of concatenated method names: 'Hu4fYDrUxC', 'eIDfF1E73L', 'ToString', 'QPwfJrp2fr', 'Ic3fdii3PM', 'GGJfIUCoYu', 'cZ2f2hhOAy', 'AMRfOriD9y', 'p7JfX88YhD', 'vhFfGSpHZ4'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, HR8leUGke1iYnYjYyR.cs	High entropy of concatenated method names: 'yjpVNTOuZc', 'vK6VJ5nnju', 'l2xVdCmqrx', 'b35VI7IK7r', 'YWTV2YeyT2', 'haeVOokwmW', 'DXoVX9LxsN', 'MFRVGIe7Sd', 'Nn9ViD3q0f', 'uCBVYXsPTq'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, SOlrbVphIZvVVgwFII.cs	High entropy of concatenated method names: 'jqqjThYLc', 'rOcPJm1vb', 'hoL62EtRr', 'GodquCEL0', 'ryF0uL2on', 'aPRnD9QxF', 'fS9tcrnu5ha5khyliU', 'gtlhy0svWtgTAcPhqP', 'nLLm4llLx', 'CGk7LH48b'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, VZCaVb047QqRNiqTpY.cs	High entropy of concatenated method names: 'joiIPSSqqY', 'KtVI6dxpD1', 'KAKI9IOLU3', 'sOgI0rwryp', 'T9oIoLjiuU', 'aZJITeMNFd', 'xg1IfZ3058', 'KymImRxvX4', 'DlVIrhkGlC', 'XkwI7aOe6t'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, MLSwxJ55tQu3yEi6g1B.cs	High entropy of concatenated method names: 'IIP7ZuHIU6', 'b4Z7z3LOk9', 'tt4UaIalcM', 'A6LU5NX9ql', 'tEcUpQ6HBt', 'UL4UVxTFSX', 'oVbUc6HxjH', 'US5UNLRqRv', 'JZ6UJshIfH', 'dOQUdtmTx0'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, EwdQpKZIR41WdNr8Gs.cs	High entropy of concatenated method names: 'Rh87IpgDjI', 'POV72nhjq2', 'z7w7OVI9Mx', 'RKm7XJVUjG', 'jk67rOI7Df', 'nsu7GRbxGv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, z4Z2jKKxvYLLJRBmCR.cs	High entropy of concatenated method names: 'DyRXMh54yE', 'sQxXEKyGK8', 'YHmXjyEdbN', 'kyyXPGZwjV', 'QDoXCfRaoF', 'S0mX6ooW6S', 'zJTXqUsxu8', 'LmIX9ADekx', 'xbMX0KwQCa', 'KM7Xnuub77'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, OmjNYv5cibqVT7ixO7C.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Or4xr1iMD9', 'jIpx7fRXaj', 'HVexUtBZhO', 'zZSxxbDwQ2', 'svMxkUAJrZ', 'h1BxD6rAvE', 'mQHxhBhrKw'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, mpMEGKsqoCcoqntDFF.cs	High entropy of concatenated method names: 'V6YONpEVDi', 'rwfOd4iLGi', 'kVjO2JiW7m', 'U6KOXARuGi', 'LhwOGZpDjt', 'RnV23RFnD4', 'bJq28SmWL6', 'BRx2ARyPvK', 'jS52SpTA49', 'EME2WpXG4G'
Source: 0.2.nuevo orden.exe.3c4c070.0.raw.unpack, bnfH3TA3xVDHxNHKf8.cs	High entropy of concatenated method names: 'pCsro2MtX8', 'c8Brf8CUJw', 'pVarroPZoO', 'qf1rUJaHJS', 'EmarkXSUjj', 'QkGrhMfHjZ', 'Dispose', 'OyjmJvoM1V', 'uZxmdXAASX', 'LK1mI2jt3u'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, nUVMUTwJNZb0qjIrXS.cs	High entropy of concatenated method names: 'SXgoL4rcAk', 'Qq2otgARNP', 'cLUowbKDBm', 'QlGoeFSCFI', 'kkdovAg1pd', 'idxolj0WpW', 'T3JoyqGeHj', 'YhsoHfvMHG', 'UdAog4Rg8f', 'GicobW7J6w'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, f8GXSI8dfcOXDYFeYq.cs	High entropy of concatenated method names: 'gsefS2Ipfw', 'bckfZnkSJd', 'uXKmaOlKYJ', 'nHim56GS9q', 'V7xf1q5sqT', 'XFgftXqMlb', 'YT0fQHvCuw', 'psofwNXUGr', 'ImnfeKRyOW', 'Dh5f4a8Uhk'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, aVCaA3d0t28yPseesH.cs	High entropy of concatenated method names: 'Dispose', 'cDH5WxNHKf', 'A9HpvqcUuH', 'Ppl79mdxgQ', 'VkO5ZvLNmX', 'SaZ5zPcllJ', 'ProcessDialogKey', 'omBpaG3nY4', 'aG6p5dMwpG', 'y1Opp0wdQp'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, YvGYe7QSIaOMfnsZd7.cs	High entropy of concatenated method names: 'xWkB9JKPKZ', 'gRvB0EL2Lr', 'UG4Bshbst5', 'meGBvlfebT', 'HOLBybMT8P', 'sujBHFcDts', 'NtTBb3VBTr', 'VICBuAARuw', 'DDbBLlkHCT', 'VPrB1mdk36'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, nG3nY4WaG6dMwpGE1O.cs	High entropy of concatenated method names: 'ne8rs8wymQ', 'iy0rvCPHxr', 'zdkrlCv9Bn', 'FqoryYjXer', 'Xd7rHiaxc6', 'HV5rgOCucM', 'kJ6rbayMZ1', 'rScruqfhg2', 'A9vrKTKXrw', 'ueurLdiyIn'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, Sn3ea7bCGZDnbqhIeB.cs	High entropy of concatenated method names: 'WK1XJa8Ayn', 'dSUXIwYoLS', 'yWoXORobS7', 'K0WOZWjrjZ', 'hD2OzWFaMH', 'NNnXah9ILP', 'wItX5pi3DQ', 'qv5Xpt2XPA', 'M85XVqNbSv', 'oFXXcJhf2Q'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, gwUc6n5aqAXhZTNg0YF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tdp71tij87', 'Dqg7t9PI7f', 'veZ7QHjcg2', 'NYI7w2QcxK', 'hqY7ex1Umf', 'BS974sUTcE', 'hBA7RpvEft'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, jNAS4j9fQeCL43sUac.cs	High entropy of concatenated method names: 'hvjdw089V1', 'jyEdeLmewR', 'DXyd498Ht8', 'HJAdROOjiw', 'TYdd3Um2PQ', 'f0ld8NECLy', 'M7rdAilwoQ', 'GcXdSPqap7', 'zvcdWqGcK0', 'TMEdZZXfus'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, eSXgHXcJKytyOiMBEX.cs	High entropy of concatenated method names: 'UrX5XNAS4j', 'qQe5GCL43s', 'L475YQqRNi', 'CTp5FY2KAQ', 'kNH5o3eYpM', 'yGK5TqoCco', 'NnRwJaJRUDOwFK9IYZ', 'w7NN8ZhXn1qbwd4aLE', 'OXK55iJ7s0', 'p6I5VbPHGu'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, xR9B3jzrW6xI5Sipho.cs	High entropy of concatenated method names: 'gZM76B5Ds8', 'YLm794PitH', 'Gku70pO18a', 'hgg7swNnrg', 'v1C7v5gHfw', 'Hck7ys0yxM', 'mGJ7HGqDa0', 'GPH7hFAnrp', 'Db37MD7kPL', 'L7M7EwEEK5'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, hKAQbOnUNmjciGNH3e.cs	High entropy of concatenated method names: 'Mhl2CQbhIU', 'oEm2qjnfGh', 'WM7IlMXkLr', 'jW9IyST8wl', 'HFLIH4L3NX', 'GKEIgo0P7k', 'eQ8Ib4Wrkj', 'nQPIuGR7Ln', 'r6kIKTCh2Z', 'J7HILoAJgU'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, K7jmrZRRQcgZ5pqb1D.cs	High entropy of concatenated method names: 'Hu4fYDrUxC', 'eIDfF1E73L', 'ToString', 'QPwfJrp2fr', 'Ic3fdii3PM', 'GGJfIUCoYu', 'cZ2f2hhOAy', 'AMRfOriD9y', 'p7JfX88YhD', 'vhFfGSpHZ4'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, HR8leUGke1iYnYjYyR.cs	High entropy of concatenated method names: 'yjpVNTOuZc', 'vK6VJ5nnju', 'l2xVdCmqrx', 'b35VI7IK7r', 'YWTV2YeyT2', 'haeVOokwmW', 'DXoVX9LxsN', 'MFRVGIe7Sd', 'Nn9ViD3q0f', 'uCBVYXsPTq'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, SOlrbVphIZvVVgwFII.cs	High entropy of concatenated method names: 'jqqjThYLc', 'rOcPJm1vb', 'hoL62EtRr', 'GodquCEL0', 'ryF0uL2on', 'aPRnD9QxF', 'fS9tcrnu5ha5khyliU', 'gtlhy0svWtgTAcPhqP', 'nLLm4llLx', 'CGk7LH48b'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, VZCaVb047QqRNiqTpY.cs	High entropy of concatenated method names: 'joiIPSSqqY', 'KtVI6dxpD1', 'KAKI9IOLU3', 'sOgI0rwryp', 'T9oIoLjiuU', 'aZJITeMNFd', 'xg1IfZ3058', 'KymImRxvX4', 'DlVIrhkGlC', 'XkwI7aOe6t'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, MLSwxJ55tQu3yEi6g1B.cs	High entropy of concatenated method names: 'IIP7ZuHIU6', 'b4Z7z3LOk9', 'tt4UaIalcM', 'A6LU5NX9ql', 'tEcUpQ6HBt', 'UL4UVxTFSX', 'oVbUc6HxjH', 'US5UNLRqRv', 'JZ6UJshIfH', 'dOQUdtmTx0'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, EwdQpKZIR41WdNr8Gs.cs	High entropy of concatenated method names: 'Rh87IpgDjI', 'POV72nhjq2', 'z7w7OVI9Mx', 'RKm7XJVUjG', 'jk67rOI7Df', 'nsu7GRbxGv', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, z4Z2jKKxvYLLJRBmCR.cs	High entropy of concatenated method names: 'DyRXMh54yE', 'sQxXEKyGK8', 'YHmXjyEdbN', 'kyyXPGZwjV', 'QDoXCfRaoF', 'S0mX6ooW6S', 'zJTXqUsxu8', 'LmIX9ADekx', 'xbMX0KwQCa', 'KM7Xnuub77'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, OmjNYv5cibqVT7ixO7C.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Or4xr1iMD9', 'jIpx7fRXaj', 'HVexUtBZhO', 'zZSxxbDwQ2', 'svMxkUAJrZ', 'h1BxD6rAvE', 'mQHxhBhrKw'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, mpMEGKsqoCcoqntDFF.cs	High entropy of concatenated method names: 'V6YONpEVDi', 'rwfOd4iLGi', 'kVjO2JiW7m', 'U6KOXARuGi', 'LhwOGZpDjt', 'RnV23RFnD4', 'bJq28SmWL6', 'BRx2ARyPvK', 'jS52SpTA49', 'EME2WpXG4G'
Source: 0.2.nuevo orden.exe.78f0000.4.raw.unpack, bnfH3TA3xVDHxNHKf8.cs	High entropy of concatenated method names: 'pCsro2MtX8', 'c8Brf8CUJw', 'pVarroPZoO', 'qf1rUJaHJS', 'EmarkXSUjj', 'QkGrhMfHjZ', 'Dispose', 'OyjmJvoM1V', 'uZxmdXAASX', 'LK1mI2jt3u'

Source: C:\Users\user\Desktop\nuevo orden.exe

File created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Jump to dropped file

Source: C:\Users\user\Desktop\nuevo orden.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZUHFqcY			Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZUHFqcY			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\nuevo orden.exe

File opened: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\nuevo orden.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior

Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: nuevo orden.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 356, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\nuevo orden.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: nuevo orden.exe, 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 49B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 7A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 8A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 8C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 9C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 4860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 73E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 83E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 8580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 9580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 4640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 70A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 80A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 8240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 9240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 11F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 2E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5950	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3782	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Window / User API: threadDelayed 1584	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Window / User API: threadDelayed 4101	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Window / User API: threadDelayed 4602	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Window / User API: threadDelayed 1147	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Window / User API: threadDelayed 456
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Window / User API: threadDelayed 4677

Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3940	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 1128	Thread sleep count: 1584 > 30	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 1128	Thread sleep count: 4101 > 30	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -99667s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -99542s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -99322s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -99183s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -98964s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -98858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -98746s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -98640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -98309s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -98093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe TID: 5260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1340	Thread sleep count: 4602 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1340	Thread sleep count: 1147 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -99452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -99124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -98466s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -97921s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -97812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -97375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -97265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -97156s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -97040s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 1088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4784	Thread sleep count: 456 > 30
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 4784	Thread sleep count: 4677 > 30
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -98234s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -98125s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -98015s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -97796s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -97578s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -97468s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe TID: 5172	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\nuevo orden.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\nuevo orden.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\nuevo orden.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 99667	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 99542	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 99322	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 99183	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 98964	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 98858	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 98746	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 98640	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 98309	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 98093	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97874	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97546	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97328	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97218	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97109	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99452	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98466	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97040	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99546
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98671
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98453
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98343
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98234
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98125
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 98015
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97906
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97796
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97687
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97578
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97468
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 97359
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Thread delayed: delay time: 922337203685477

Source: nuevo orden.exe, 00000000.00000002.2201625930.0000000006E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}rJ
Source: ZUHFqcY.exe, 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: ZUHFqcY.exe, 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: nuevo orden.exe, 00000005.00000002.3417276138.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: nuevo orden.exe, 00000000.00000002.2201625930.0000000006E34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: ZUHFqcY.exe, 0000000A.00000002.3418014149.0000000001345000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\nuevo orden.exe

Code function: 5_2_011170B8 CheckRemoteDebuggerPresent,

5_2_011170B8

Source: C:\Users\user\Desktop\nuevo orden.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\nuevo orden.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\nuevo orden.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe"
Source: C:\Users\user\Desktop\nuevo orden.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\nuevo orden.exe	Memory written: C:\Users\user\Desktop\nuevo orden.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory written: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Memory written: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\nuevo orden.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe"	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Process created: C:\Users\user\Desktop\nuevo orden.exe "C:\Users\user\Desktop\nuevo orden.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Process created: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe "C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Users\user\Desktop\nuevo orden.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Users\user\Desktop\nuevo orden.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\nuevo orden.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.nuevo orden.exe.3c07e70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3bcc450.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3c07e70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3421195838.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3422052551.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3422052551.0000000002C36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3422052551.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3421733340.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3421195838.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3421733340.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3421195838.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3421733340.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nuevo orden.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nuevo orden.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 5344, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\nuevo orden.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\nuevo orden.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.nuevo orden.exe.3c07e70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3bcc450.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3c07e70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3421195838.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3421733340.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nuevo orden.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nuevo orden.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 5344, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.nuevo orden.exe.3c07e70.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3bcc450.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3c07e70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nuevo orden.exe.3bcc450.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3421195838.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3422052551.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3422052551.0000000002C36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3422052551.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3421733340.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3421195838.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3421733340.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3421195838.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3421733340.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nuevo orden.exe PID: 5172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nuevo orden.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 5268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZUHFqcY.exe PID: 5344, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	521 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nuevo orden.exe	55%	ReversingLabs	ByteCode-MSIL.Hacktool.Aikaantivm
nuevo orden.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe	55%	ReversingLabs	ByteCode-MSIL.Hacktool.Aikaantivm

Source	Detection	Scanner	Label	Link
http://ocsp.sectigo.com0A	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.199.224	true	false		high
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	nuevo orden.exe, 00000005.00000002.3417276138.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3417276138.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3440664568.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3418014149.0000000001326000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0A	nuevo orden.exe, 00000005.00000002.3417276138.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3417276138.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3440664568.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3418014149.0000000001326000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.m	ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	nuevo orden.exe, 00000005.00000002.3417276138.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3417276138.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002F3F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C4F000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3440664568.00000000061B0000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3417281316.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3440462278.0000000006347000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3418014149.0000000001326000.00000004.00000020.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	nuevo orden.exe, 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp	false		high
http://us2.smtp.mailhostbox.com	nuevo orden.exe, 00000005.00000002.3421733340.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002EAD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	nuevo orden.exe, 00000000.00000002.2196528166.0000000002A0B000.00000004.00000800.00020000.00000000.sdmp, nuevo orden.exe, 00000005.00000002.3421733340.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000006.00000002.2319147071.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000009.00000002.2396410946.000000000269E000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com/line/?fields=hostingJ	ZUHFqcY.exe, 0000000A.00000002.3418014149.00000000012A6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd	nuevo orden.exe, ZUHFqcY.exe.5.dr	false		high
http://ip-api.com	nuevo orden.exe, 00000005.00000002.3421733340.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 00000007.00000002.3422052551.0000000002BFC000.00000004.00000800.00020000.00000000.sdmp, ZUHFqcY.exe, 0000000A.00000002.3421195838.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
208.91.199.224	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555015
Start date and time:	2024-11-13 10:26:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nuevo orden.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/9@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 120 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: nuevo orden.exe

Simulations

Behavior and APIs

Time	Type	Description
04:27:05	API Interceptor	29x Sleep call for process: nuevo orden.exe modified
04:27:07	API Interceptor	11x Sleep call for process: powershell.exe modified
04:27:18	API Interceptor	55x Sleep call for process: ZUHFqcY.exe modified
10:27:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ZUHFqcY C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
10:27:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ZUHFqcY C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	transferencia interbancaria_867897870877.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	INV & BANK DETAILS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Halkbank_Ekstre.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse	ip-api.com/json
	Sipari_.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	IgTdifcj7HukYrd.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Orden de Compra No. 434565344657.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Pr6Fu6VZK3.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
	Pr6Fu6VZK3.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	transferencia interbancaria_867897870877.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	INV & BANK DETAILS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Halkbank_Ekstre.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse	208.95.112.1
	Sipari_.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	IgTdifcj7HukYrd.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de Compra No. 434565344657.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Pr6Fu6VZK3.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Pr6Fu6VZK3.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	208.95.112.1
us2.smtp.mailhostbox.com	Lpjrd6Wxad.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	Nt8BLNLKN7.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.91.199.223
	copto de pago.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Tax Invoice 103505.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	PO.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Purchase_Order.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	transferencia interbancaria_867897870877.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	INV & BANK DETAILS.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Halkbank_Ekstre.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse	208.95.112.1
	Sipari_.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	https://t.ly/SjDNX	Get hash	malicious	Python Stealer, Braodo	Browse	208.95.112.1
	IgTdifcj7HukYrd.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de Compra No. 434565344657.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Pr6Fu6VZK3.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	Pr6Fu6VZK3.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
PUBLIC-DOMAIN-REGISTRYUS	PO ALJAT-5804-2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	INQ#84790.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	https://u34251876.ct.sendgrid.net/ls/click?upn=u001.ordJ57g0HVndDa8Km-2BVUUFN1eIn5tdzIxrKbgsGfF9eVdl7b-2Fab-2BrUBdfIXH9yijR5LLM7kgivkgUI3nC3VajM00UDrq4ekI2XREqo0QmHcHyDyYWomvx9-2FHEtQ3o5rBM9AHzVSsjnwFSEJqic-2BEtw-3D-3DBxNa_qINdfz5Lp8EahgxJXfgGV-2Bk7caEgTUs2gtUTKNMgBkZ9mbVIMd-2B1UUN0TqdRRGrocW81C18onNWNx5Y6KM88Rr7odKCqMhALUPuUbXGlkOo01sEKeKdphXRhykHXKfSB-2By1s-2BNAgCL9-2BbtY8LNaKNV0sXQnlv-2F9fA-2BLZtaeadaVGHb32bFHhcOwS3ltfr2dig92MY6M8DrwwYiolgI1k4Q-3D-3D	Get hash	malicious	Unknown	Browse	216.10.246.48
	LPO24.0524.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	MJ5bO7kS7j.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.107
	xxTupY4Fr3.xlsx	Get hash	malicious	Unknown	Browse	207.174.214.153
	xz8lxAetNu.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	Lpjrd6Wxad.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.198.143
	w6dnPra4mx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	162.251.80.30
	05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39

Process:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
MD5:	3978978DE913FD1C068312697D6E5917
SHA1:	1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
SHA-256:	33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
SHA-512:	78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nuevo orden.exe.log

Download File

Process:	C:\Users\user\Desktop\nuevo orden.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
MD5:	3978978DE913FD1C068312697D6E5917
SHA1:	1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
SHA-256:	33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
SHA-512:	78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:QWSU4xymI4RfoUeW+mZ9tK8ND3
MD5:	0CBD5C86CC1353C7EF09E2ED3E0829E3
SHA1:	0FFE29A715ED1E32BB9491D3DD88FB72280ED040
SHA-256:	B7A6D1B47CEA0A5084460775416103112E56A7A423216183ABAC974960FD51E7
SHA-512:	C60EC6550188DCCD1EAD93CC49011BAC45134426ADEF81410468A1F613AD8F2E67AEF296F5C92092A62BFAC746FCA9DC8741FEC5600996F28A48BF2488E94D40
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gronkilf.uie.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l104djgz.owj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0owurjf.x0c.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytuyx3ok.f53.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Download File

Process:	C:\Users\user\Desktop\nuevo orden.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	708096
Entropy (8bit):	7.93950181377389
Encrypted:	false
SSDEEP:	12288:q5/TyEluCIzXI+1jessAS3qi6A3xfwCgnac4zFC6:q5/uElunIIje0C53BwlnacW
MD5:	1AF621550628EE8ACE6EA7C6AFEFB0FE
SHA1:	0C06B92BE85B5810E75709B307EF28DF4A5623BB
SHA-256:	D097AECE3AFAF2EEAFCE3FEA88DC99E98EF31465BB9216FBC4BBC0C649DEA94C
SHA-512:	8AE4A8EE8971080DADAB59C56C694D7DA3D9552844CE0A61D27B16A43D7F1F52807FB63082640B76FCD0E2B1DA52C02B33B0B688DD699F5B9047435493715B06
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}u3g..............0......&......b.... ........@.. .......................@............`.....................................O........#................... ......p...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc....#.......$..................@..@.reloc....... ......................@..B................D.......H........R...x...........................................................0..]........s....}.....r...p}.....r...p}.....(.....(.....{.....o.....{.....o.....{...........s"...o....6..o....(......0...........r!..p(....-..rm..p(....--.r...p(....->+X.{.....}.....{....r...po....+:.{.....}.....{....r...po....+..{.....}.....{....rq..po.....{.....{....o......0...........{......E............&...+4.{....r...po....+".{....r...po....+..{....rq..po.....{......E............#....{....r&..p

C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\nuevo orden.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.93950181377389
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	nuevo orden.exe
File size:	708'096 bytes
MD5:	1af621550628ee8ace6ea7c6afefb0fe
SHA1:	0c06b92be85b5810e75709b307ef28df4a5623bb
SHA256:	d097aece3afaf2eeafce3fea88dc99e98ef31465bb9216fbc4bbc0c649dea94c
SHA512:	8ae4a8ee8971080dadab59c56c694d7da3d9552844ce0a61d27b16a43d7f1f52807fb63082640b76fcd0e2b1da52c02b33b0b688dd699f5b9047435493715b06
SSDEEP:	12288:q5/TyEluCIzXI+1jessAS3qi6A3xfwCgnac4zFC6:q5/uElunIIje0C53BwlnacW
TLSH:	26E4029032D88D37C27A13346A35A008A6F340675538D2A5FDDE7A5F1F7BB521263BA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}u3g..............0......&......b.... ........@.. .......................@............`................................

File Icon


Icon Hash:	33f8e8cef4719964

Static PE Info

General

Entrypoint:	0x4ac562
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6733757D [Tue Nov 12 15:34:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac510	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x23d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xaa370	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaa568	0xaa600	2f3661bd338473e0b0ec0db6b9c2d782	False	0.9285955841892883	data	7.945028236511907	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x23d4	0x2400	c60516e43cc06ae55aae63f01792b462	False	0.9021267361111112	data	7.620131830534139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	a5e551b7932ef2bae44ee80b36942559	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xae0c8	0x1fda	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9612460142261466
RT_GROUP_ICON	0xb00b4	0x14	data	1.05
RT_VERSION	0xb00d8	0x2f8	data	0.4473684210526316

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-13T10:27:24.083031+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.6	49785	TCP
2024-11-13T10:28:02.316167+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.6	49993	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 10:27:08.255013943 CET	49714	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:08.260045052 CET	80	49714	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:08.260122061 CET	49714	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:08.260946989 CET	49714	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:08.266015053 CET	80	49714	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:08.854911089 CET	80	49714	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:08.909975052 CET	49714	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:09.519921064 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:09.524945974 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:09.525036097 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:10.375308037 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.376214981 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:10.381109953 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.531347036 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.531672955 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:10.536567926 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.686549902 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.697129011 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:10.702028036 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.852154970 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.852185965 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.852196932 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.852206945 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.852241039 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:10.852272987 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:10.884828091 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:10.925584078 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:10.934262991 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:10.939264059 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.267261982 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.283376932 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:11.288331985 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.447263002 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.448168993 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:11.453882933 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.610460043 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.610825062 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:11.615781069 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.772150993 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.772452116 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:11.777266026 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.929075956 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:11.929536104 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:11.934477091 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:12.116233110 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:12.116492987 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:12.121375084 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:12.272085905 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:12.272886038 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:12.273000956 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:12.273086071 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:12.273113012 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:12.277776957 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:12.277854919 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:12.277867079 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:12.277892113 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:12.571400881 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:12.613101959 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:19.924964905 CET	49773	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:19.930092096 CET	80	49773	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:19.930176020 CET	49773	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:19.930484056 CET	49773	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:19.935332060 CET	80	49773	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:20.564347029 CET	80	49773	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:20.613080978 CET	49773	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:21.400636911 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:21.405637026 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:21.405770063 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:21.970335007 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:21.970717907 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:21.975632906 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.124262094 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.124491930 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:22.129407883 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.277900934 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.290393114 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:22.295214891 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.443720102 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.443777084 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.443802118 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.443844080 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:22.443866968 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.443877935 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.444353104 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:22.476517916 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.476608038 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:22.478117943 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:22.482907057 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.631886005 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.645287037 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:22.650245905 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.799143076 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.799582958 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:22.804482937 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.956587076 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:22.957190990 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:22.962234020 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:23.122371912 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:23.122757912 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:23.128587961 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:23.280128002 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:23.280755997 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:23.285629034 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:23.461602926 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:23.461915016 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:23.466845989 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:23.824893951 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:23.825768948 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:23.825768948 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:23.825819969 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:23.825819969 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:24.036386013 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:24.081394911 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:24.081461906 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:24.081702948 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:24.081866026 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:24.082556963 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:24.082571983 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:24.082585096 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:24.082597971 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:24.082942963 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:24.359585047 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:24.410403967 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:27.740410089 CET	49814	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:27.745284081 CET	80	49814	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:27.745402098 CET	49814	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:27.745681047 CET	49814	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:27.750643015 CET	80	49814	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:28.363729000 CET	80	49814	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:28.409996033 CET	49814	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:28.924904108 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:28.930202961 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:28.930532932 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:29.505944014 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.506447077 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:29.511557102 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.667036057 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.667287111 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:29.673857927 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.822175026 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.826100111 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:29.831049919 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.981101036 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.981122017 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.981133938 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.981148958 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:29.981232882 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:29.981271982 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:30.013190031 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.014775991 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:30.019701004 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.169986963 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.182995081 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:30.188112020 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.337498903 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.337904930 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:30.342868090 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.495165110 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.495527029 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:30.500818014 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.655458927 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.655771971 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:30.660698891 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.813353062 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.813617945 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:30.818686008 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.997155905 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:30.997395039 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:31.002728939 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:31.153853893 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:31.154689074 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:31.154768944 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:31.154797077 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:31.154819012 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:31.161035061 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:31.161046028 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:31.638510942 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:31.668343067 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:27:31.668438911 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:27:41.998137951 CET	80	49714	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:41.998243093 CET	49714	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:57.304924011 CET	80	49773	208.95.112.1	192.168.2.6
Nov 13, 2024 10:27:57.305063963 CET	49773	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:59.519629002 CET	49714	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:27:59.524645090 CET	80	49714	208.95.112.1	192.168.2.6
Nov 13, 2024 10:28:02.670169115 CET	80	49814	208.95.112.1	192.168.2.6
Nov 13, 2024 10:28:02.670298100 CET	49814	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:28:11.410315037 CET	49773	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:28:11.415360928 CET	80	49773	208.95.112.1	192.168.2.6
Nov 13, 2024 10:28:18.926074028 CET	49814	80	192.168.2.6	208.95.112.1
Nov 13, 2024 10:28:18.931919098 CET	80	49814	208.95.112.1	192.168.2.6
Nov 13, 2024 10:28:49.535414934 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:28:49.540811062 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:28:49.691485882 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:28:49.691766024 CET	587	49715	208.91.199.224	192.168.2.6
Nov 13, 2024 10:28:49.691823959 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:28:49.696846962 CET	49715	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:29:01.426139116 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:29:01.431282043 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:29:01.580173016 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:29:01.580653906 CET	587	49780	208.91.199.224	192.168.2.6
Nov 13, 2024 10:29:01.580715895 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:29:01.583903074 CET	49780	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:29:08.941601992 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:29:08.946679115 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:29:09.097208023 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:29:09.097234011 CET	587	49825	208.91.199.224	192.168.2.6
Nov 13, 2024 10:29:09.097604990 CET	49825	587	192.168.2.6	208.91.199.224
Nov 13, 2024 10:29:09.102421999 CET	49825	587	192.168.2.6	208.91.199.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 10:27:08.239479065 CET	51998	53	192.168.2.6	1.1.1.1
Nov 13, 2024 10:27:08.246428013 CET	53	51998	1.1.1.1	192.168.2.6
Nov 13, 2024 10:27:09.509762049 CET	56661	53	192.168.2.6	1.1.1.1
Nov 13, 2024 10:27:09.518619061 CET	53	56661	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 13, 2024 10:27:08.239479065 CET	192.168.2.6	1.1.1.1	0xa11c	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Nov 13, 2024 10:27:09.509762049 CET	192.168.2.6	1.1.1.1	0x33b	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 13, 2024 10:27:08.246428013 CET	1.1.1.1	192.168.2.6	0xa11c	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Nov 13, 2024 10:27:09.518619061 CET	1.1.1.1	192.168.2.6	0x33b	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false
Nov 13, 2024 10:27:09.518619061 CET	1.1.1.1	192.168.2.6	0x33b	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false
Nov 13, 2024 10:27:09.518619061 CET	1.1.1.1	192.168.2.6	0x33b	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false
Nov 13, 2024 10:27:09.518619061 CET	1.1.1.1	192.168.2.6	0x33b	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49714	208.95.112.1	80	6256	C:\Users\user\Desktop\nuevo orden.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:27:08.260946989 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 13, 2024 10:27:08.854911089 CET	174	IN	HTTP/1.1 200 OK Date: Wed, 13 Nov 2024 09:27:07 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49773	208.95.112.1	80	5268	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:27:19.930484056 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 13, 2024 10:27:20.564347029 CET	174	IN	HTTP/1.1 200 OK Date: Wed, 13 Nov 2024 09:27:19 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49814	208.95.112.1	80	5344	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:27:27.745681047 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 13, 2024 10:27:28.363729000 CET	174	IN	HTTP/1.1 200 OK Date: Wed, 13 Nov 2024 09:27:27 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 40 X-Rl: 43 Data Raw: 74 72 75 65 0a Data Ascii: true

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 13, 2024 10:27:10.375308037 CET	587	49715	208.91.199.224	192.168.2.6	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 13, 2024 10:27:10.376214981 CET	49715	587	192.168.2.6	208.91.199.224	EHLO 377142
Nov 13, 2024 10:27:10.531347036 CET	587	49715	208.91.199.224	192.168.2.6	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 13, 2024 10:27:10.531672955 CET	49715	587	192.168.2.6	208.91.199.224	STARTTLS
Nov 13, 2024 10:27:10.686549902 CET	587	49715	208.91.199.224	192.168.2.6	220 2.0.0 Ready to start TLS
Nov 13, 2024 10:27:21.970335007 CET	587	49780	208.91.199.224	192.168.2.6	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 13, 2024 10:27:21.970717907 CET	49780	587	192.168.2.6	208.91.199.224	EHLO 377142
Nov 13, 2024 10:27:22.124262094 CET	587	49780	208.91.199.224	192.168.2.6	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 13, 2024 10:27:22.124491930 CET	49780	587	192.168.2.6	208.91.199.224	STARTTLS
Nov 13, 2024 10:27:22.277900934 CET	587	49780	208.91.199.224	192.168.2.6	220 2.0.0 Ready to start TLS
Nov 13, 2024 10:27:29.505944014 CET	587	49825	208.91.199.224	192.168.2.6	220 us2.outbound.mailhostbox.com ESMTP Postfix
Nov 13, 2024 10:27:29.506447077 CET	49825	587	192.168.2.6	208.91.199.224	EHLO 377142
Nov 13, 2024 10:27:29.667036057 CET	587	49825	208.91.199.224	192.168.2.6	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 13, 2024 10:27:29.667287111 CET	49825	587	192.168.2.6	208.91.199.224	STARTTLS
Nov 13, 2024 10:27:29.822175026 CET	587	49825	208.91.199.224	192.168.2.6	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	04:27:04
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\nuevo orden.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nuevo orden.exe"
Imagebase:	0x670000
File size:	708'096 bytes
MD5 hash:	1AF621550628EE8ACE6EA7C6AFEFB0FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2198129748.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:27:05
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nuevo orden.exe"
Imagebase:	0xa30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:27:05
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:27:05
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\nuevo orden.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nuevo orden.exe"
Imagebase:	0xa40000
File size:	708'096 bytes
MD5 hash:	1AF621550628EE8ACE6EA7C6AFEFB0FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3421733340.0000000002F5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3421733340.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3421733340.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3421733340.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	04:27:17
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Imagebase:	0x4e0000
File size:	708'096 bytes
MD5 hash:	1AF621550628EE8ACE6EA7C6AFEFB0FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:27:18
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Imagebase:	0x650000
File size:	708'096 bytes
MD5 hash:	1AF621550628EE8ACE6EA7C6AFEFB0FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3422052551.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3422052551.0000000002C36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3422052551.0000000002C6B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3415403340.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	04:27:25
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Imagebase:	0x2a0000
File size:	708'096 bytes
MD5 hash:	1AF621550628EE8ACE6EA7C6AFEFB0FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:27:26
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe"
Imagebase:	0xa00000
File size:	708'096 bytes
MD5 hash:	1AF621550628EE8ACE6EA7C6AFEFB0FE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3421195838.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3421195838.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3421195838.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3421195838.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.8%
Total number of Nodes:	237
Total number of Limit Nodes:	8

Executed Functions

Function 07891E68 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2203039179.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7890000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4c9e71b366a855b73376302fd6b7e5e685875d9350d26550a4a2e6773e910b
Instruction ID: 1320e4ee08ed5d859227ea53db18ae92ba6c8fe488c48709ecbe9090f8cdf92c
Opcode Fuzzy Hash: 3b4c9e71b366a855b73376302fd6b7e5e685875d9350d26550a4a2e6773e910b
Instruction Fuzzy Hash: E9328CB4B012059FDB19DFA9D854BAEBBF6AF89300F184069E506DB3A0CB35ED01CB51

Function 07890040 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2203039179.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7890000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f69fa2441c77f47c4a28a691578ad5351eb878c6472e5140a1701aa813254e
Instruction ID: 22b435f68d3646029018a720e24fca7ec1b6a81497b20e3b229a03861a327507
Opcode Fuzzy Hash: 60f69fa2441c77f47c4a28a691578ad5351eb878c6472e5140a1701aa813254e
Instruction Fuzzy Hash: C07127B1D0522ECBEF64CF66CC407E9BBB6BF99304F1491AAD509A6244EB705AC5CF40

Function 06F2E9A4 Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06F2EBE6

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9e946562854f6acc73186da7ca2afe3b7cce9cf876451e529ee380038570a2dc
Instruction ID: 6502b0c41350b60e32dfdeb9e8f89cc488a73697a02c07235d1c76ddc4162236
Opcode Fuzzy Hash: 9e946562854f6acc73186da7ca2afe3b7cce9cf876451e529ee380038570a2dc
Instruction Fuzzy Hash: C6A13C71D0062ADFEF64CFA8C8417EDBBB2BF48710F1485A9E809A7240DB749985CF91

Function 06F2E9B0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06F2EBE6

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dd2f564e387b0c56cb239ccb71132177bff28779df29cbe5b8cd9cd09dcc096e
Instruction ID: 7e81bfa2f443f9c59980bc633e44389f5e7028c4d014a90dca0069ae735bb646
Opcode Fuzzy Hash: dd2f564e387b0c56cb239ccb71132177bff28779df29cbe5b8cd9cd09dcc096e
Instruction Fuzzy Hash: 97914D71D0062ADFEF64CFA8C8417EDBBB2BF48714F1485A9E809A7240DB749985CF91

Function 0281A9E8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0281AC3E

Memory Dump Source

Source File: 00000000.00000002.2196082239.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2810000_nuevo orden.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5159b816df57a2b268f0b756ec95bc0d15d9aaaa96863947f2ec9253d1afc5f6
Instruction ID: a2837ca8ffbc93997e3e25dfb8e1db45a26a6a67e230a2d61af2f8c493a3369e
Opcode Fuzzy Hash: 5159b816df57a2b268f0b756ec95bc0d15d9aaaa96863947f2ec9253d1afc5f6
Instruction Fuzzy Hash: 38714778A00B058FD728DF69D15475ABBF6FF88304F008A2ED08AD7A80DB74E855CB91

Function 06F2E2E8 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F2E380

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5f166410ab72f99c974a70e8700a6ff8173ee715d07488d96f16ac2fd9f07c79
Instruction ID: 5b048426b54fc7f4169d154e4146194d60d4ae8f84b4a8e505b4600c3ee4901a
Opcode Fuzzy Hash: 5f166410ab72f99c974a70e8700a6ff8173ee715d07488d96f16ac2fd9f07c79
Instruction Fuzzy Hash: D221447190035A9FDB10CFAAC881BEEBBF5FF48310F10842AE919A7250C7789954CBA4

Function 06F2E2F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F2E380

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: db9609d131b16ed6281d7553c6c290dd3805d1647698779c2d08b7603d234b92
Instruction ID: 13e8529315909ee352f80abedd557612f4cd82b9ba3500ccf477eb3ce3ee56c7
Opcode Fuzzy Hash: db9609d131b16ed6281d7553c6c290dd3805d1647698779c2d08b7603d234b92
Instruction Fuzzy Hash: 4D21137290035A9FDB10CFAAC885BDEBBF5BF48310F10842AE919A7250C7789954CBA4

Function 06F2E810 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F2E898

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c12d544a2d7f5c1721998da36bb997f6fe02c2cf4f19f301227d3d56827d0d8f
Instruction ID: cb8ca933596108658653e0d3eff138d5cc91866de261f8ab0ee0dbc8adf9d4ec
Opcode Fuzzy Hash: c12d544a2d7f5c1721998da36bb997f6fe02c2cf4f19f301227d3d56827d0d8f
Instruction Fuzzy Hash: 23212771C013499FDB10DFAAC885ADEBBF5FF48310F108429E559A7240C7789551CBA0

Function 0281D2BA Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0281D286,?,?,?,?,?), ref: 0281D347

Memory Dump Source

Source File: 00000000.00000002.2196082239.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2810000_nuevo orden.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 252a8fec9b59f044535ae5a67cab83162975e6389f74d76799fd7b96e187b7db
Instruction ID: 1ea232f44c82003e17b2e248a713cdde773ceae4e3472f323d4a075d5a6f8720
Opcode Fuzzy Hash: 252a8fec9b59f044535ae5a67cab83162975e6389f74d76799fd7b96e187b7db
Instruction Fuzzy Hash: 2221E5B5900249DFDB10CFAAD584ADEBFF4EB48320F14801AE918A7250D375A955CF61

Function 0281B3D0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0281D286,?,?,?,?,?), ref: 0281D347

Memory Dump Source

Source File: 00000000.00000002.2196082239.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2810000_nuevo orden.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c6b1544e940d502ffc0903a44722b9f62e3da64ae08779ac0dcd8812703cf410
Instruction ID: 301f6257654977a944e3e954d3307d0e1929347852f9d4e508fea05eb71b6156
Opcode Fuzzy Hash: c6b1544e940d502ffc0903a44722b9f62e3da64ae08779ac0dcd8812703cf410
Instruction Fuzzy Hash: 0D21E5B5900249DFDB10CF9AD584ADEBFF8EB48324F14805AE914A3350D378A954CFA4

Function 06F2E152 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F2E1D6

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: afb0dc4e4779825c463a57086e3ab5aeed6327f3ffd973c6b096cd2a34049349
Instruction ID: 51ca3db83bb81e5adff1abbe76b41ea6aa92f2bce12b9e7571525345e901f39d
Opcode Fuzzy Hash: afb0dc4e4779825c463a57086e3ab5aeed6327f3ffd973c6b096cd2a34049349
Instruction Fuzzy Hash: E0217C71D0030A8FDB10DFAAC8857EEBBF4EF48320F14842AD519A7240C7789544CFA4

Function 06F2E158 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F2E1D6

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dd5aa0e7c374bb97d1f64705f975c6a1d0d0204878950cb9c4859625189c34cd
Instruction ID: 5014a1a14c5d43eeaacd66fc300fd11c09f837ef185b32a0a20a23cb2713182e
Opcode Fuzzy Hash: dd5aa0e7c374bb97d1f64705f975c6a1d0d0204878950cb9c4859625189c34cd
Instruction Fuzzy Hash: 25214971D0030A8FDB50DFAAC8857EEBBF4EF88324F14842AD519A7240CB789944CFA5

Function 06F2E818 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F2E898

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e745becb00deb6ec31db11742b7af2a12096b4b6d47e5c8d2dac9f9e12fb0fb9
Instruction ID: c064fc839988dab88fb2385305e2d35ac3ef5d0e1d98224a77a3084ebe811db7
Opcode Fuzzy Hash: e745becb00deb6ec31db11742b7af2a12096b4b6d47e5c8d2dac9f9e12fb0fb9
Instruction Fuzzy Hash: BF211671D003599FDF10CFAAC881ADEBBF5FF48310F10842AE559A7240C7789550CBA5

Function 06F2E228 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F2E29E

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d8b09b6fdeb7f03225732d69142071673ba7762ae6c20e7dabe7ed718f6364c1
Instruction ID: eb213297aa1abc4a147ec1e92ccd5bbfd1b3e9ad4a06304214a3360219fb898f
Opcode Fuzzy Hash: d8b09b6fdeb7f03225732d69142071673ba7762ae6c20e7dabe7ed718f6364c1
Instruction Fuzzy Hash: EF1159B690024A9FDF10DFAAC845BDFBBF5EF88320F208419E519A7250C7759550CFA1

Function 028194D8 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0281954D

Memory Dump Source

Source File: 00000000.00000002.2196082239.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2810000_nuevo orden.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ff1083db651550c1a2af6920ecfe817c42d40e023764880eb318676dc6be58d3
Instruction ID: 2719b75fdab2281b2ace8bfad7c8736081b5712bec0a4329d4fe06a6425a736c
Opcode Fuzzy Hash: ff1083db651550c1a2af6920ecfe817c42d40e023764880eb318676dc6be58d3
Instruction Fuzzy Hash: C411D2B9804788CFDB11CF59D5043DEBFF4EB04314F144099C599B3682C3795609CBA2

Function 06F2E0A0 Relevance: 1.6, APIs: 1, Instructions: 54
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 06F2E10A

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9f73cb9abfc545b204b2eb733445ff756ec3b3b05572b09782d86dfd16ecfef2
Instruction ID: 9400dbd041e56ba75cf760ba8f73ab6e47369d2cbfc4af9c6ddfd38e0e925e5b
Opcode Fuzzy Hash: 9f73cb9abfc545b204b2eb733445ff756ec3b3b05572b09782d86dfd16ecfef2
Instruction Fuzzy Hash: A5114671D007498BDB20DFAAC845BDEFBF4EF88724F24881AD519A7240CB79A544CFA5

Function 06F2E230 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F2E29E

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8196d47e4872647d43f2dff1c38eb3445d9db395dfb9f0f903cff24d21d7ecb8
Instruction ID: fa53f72f6fd1e964bf3d1d3eefe4ed59b4d8fd17434dcdc9fb65cb7515e7eebe
Opcode Fuzzy Hash: 8196d47e4872647d43f2dff1c38eb3445d9db395dfb9f0f903cff24d21d7ecb8
Instruction Fuzzy Hash: 6B11267290024A9FDF10DFAAC845BDEBBF5AF88324F248419E519A7250C775A550CFA1

Function 028194E8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0281954D

Memory Dump Source

Source File: 00000000.00000002.2196082239.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2810000_nuevo orden.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: e7a4c0b65e2fd7d66ad276bf7b22822a9945547739802abd8e169fb6623d0634
Instruction ID: 26ffe5660f2d3e68ffac3b8f57781e54a7bbbeeb890d4d4c5e23c31a29e452ef
Opcode Fuzzy Hash: e7a4c0b65e2fd7d66ad276bf7b22822a9945547739802abd8e169fb6623d0634
Instruction Fuzzy Hash: F21179B9804788CFDB10CF99D1043EEBFF8EB04314F504499D599A3682C3B9A608CBA2

Function 06F2E0A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06F2E10A

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bce9711d8fcb9add3eb0d43b8d5e90e1a675f8de50f5f8425c90b02fa22e8ddb
Instruction ID: 668ec586f4a6dcae2d51e2c30ac424ee8d4f1bb463bb0880839d4a4fad307414
Opcode Fuzzy Hash: bce9711d8fcb9add3eb0d43b8d5e90e1a675f8de50f5f8425c90b02fa22e8ddb
Instruction Fuzzy Hash: 12112871D003498FDB10DFAAC84579EFBF4AF88724F248419D519A7240CB79A544CF95

Function 078911F9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0789125D

Memory Dump Source

Source File: 00000000.00000002.2203039179.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7890000_nuevo orden.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 33c27cf7bf0909ec82f558914ec411a66708496000d69d60db3d4b68a51138cb
Instruction ID: 3472e98cba1dfd838b50489f65c9405e48fc5539018879678fb4c6b28f7eb08e
Opcode Fuzzy Hash: 33c27cf7bf0909ec82f558914ec411a66708496000d69d60db3d4b68a51138cb
Instruction Fuzzy Hash: 0711F5B5800349DFDB10DF9AD549BDEBFF9EB48320F10841AE518A3200C3B5A544CFA1

Function 0281ABD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0281AC3E

Memory Dump Source

Source File: 00000000.00000002.2196082239.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2810000_nuevo orden.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1cec6067445101ed3b58955174210fa9a9a3d9f02f97fe24ff19f04950c59107
Instruction ID: 1fd20dd25a672568245db560f2378f96aa020e87a1cc21d8c766baaa18cbdf08
Opcode Fuzzy Hash: 1cec6067445101ed3b58955174210fa9a9a3d9f02f97fe24ff19f04950c59107
Instruction Fuzzy Hash: 2B1140BAC007498FDB14CF9AD544BCEFBF8AF88324F10841AD519A3200C3B9A544CFA0

Function 07891200 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0789125D

Memory Dump Source

Source File: 00000000.00000002.2203039179.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7890000_nuevo orden.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c9482d3196583ff7e1d6b8e8b9b70879a04b1fac1eb73d010d3862cd647bc31b
Instruction ID: 09704a73cb6a9f0b488cafa0b6d8f4898c82ae5f69afcaff62cf224997b2277b
Opcode Fuzzy Hash: c9482d3196583ff7e1d6b8e8b9b70879a04b1fac1eb73d010d3862cd647bc31b
Instruction Fuzzy Hash: 8F11F2B5800349DFDB10DF9AD588BDEBBF8EB48320F20841AD518A3200C3B5A544CFA1

Function 027CD0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195599570.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27cd000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fb9727465f5a7f67cf7227f996d7bcf1113f6f041be1a053c12943c1979071
Instruction ID: e097ef0cbc9932d239a8aa8bf439a99acf5826ff232484eec67551142a444126
Opcode Fuzzy Hash: c7fb9727465f5a7f67cf7227f996d7bcf1113f6f041be1a053c12943c1979071
Instruction Fuzzy Hash: 8B2122B5504204EFDB24DF24D9C0B26BBA2FB88314F30C57DD90A4B352C77AD846CA61

Function 027CD294 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195599570.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27cd000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c97b35d1c0841f6c04df505c55715b685d546be53c19de8ed17c2d89db1d305
Instruction ID: 2798995d57eb4e60a1fe24bfdcf2ce8fe4eae4a469fa085171910abaca2f57d0
Opcode Fuzzy Hash: 3c97b35d1c0841f6c04df505c55715b685d546be53c19de8ed17c2d89db1d305
Instruction Fuzzy Hash: 782146B5604204EFDB24DF20D9C0B26BFA1FB88314F30C57DE80A0B252C37AD806CA61

Function 027CD0C8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195599570.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27cd000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60843469088974c2152f39ff2bab4dffe721777c5b1106797744badb990278af
Instruction ID: eb3109175fd9ea111dcf5463157d55860e10928f0946a66b6363d7df4a71f04f
Opcode Fuzzy Hash: 60843469088974c2152f39ff2bab4dffe721777c5b1106797744badb990278af
Instruction Fuzzy Hash: 6F21A1755043849FDB12CF20D984B15BFB1EB49314F29C5AED8494B3A7C33AD816CB62

Function 027CD28F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195599570.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27cd000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: d2f0deb2ed6c6f3cb8b3d107e2aa811938a9fea010b64c72847977dfcd1f61a2
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 2C119D75504284DFCB15CF20D9C4B19BFB1FB84318F24C6AED8494B656C33AD44ACB61

Function 027BD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195560114.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27bd000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467a4f033968c215083cfbb924919c9daa7c96254098031d9103b73e62a82080
Instruction ID: f82a8e30f94349d189e9b95ca315764fff549ecb8e954ba6f093eb09dddf1fd5
Opcode Fuzzy Hash: 467a4f033968c215083cfbb924919c9daa7c96254098031d9103b73e62a82080
Instruction Fuzzy Hash: DB012672004341DAE7318A26CD84BE6FF98EF41724F18C41AEE095A686C7B99840C6B1

Function 027BD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2195560114.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27bd000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c823b431cce55eeb0fed2f31ed0a1784e3047ef4369baa8a78986ac063c60c
Instruction ID: 70b314779e743c27087abf9298345e880dead3debf63207ef737423af9be63e9
Opcode Fuzzy Hash: c6c823b431cce55eeb0fed2f31ed0a1784e3047ef4369baa8a78986ac063c60c
Instruction Fuzzy Hash: 24F096724053449EE7218E16DDC4BA2FFA8EF51735F18C45AFD084B686C379A844CBB1

Non-executed Functions

Function 06F203A8 Relevance: 3.1, Strings: 2, Instructions: 562COMMON

Download Yara Rule

Strings

:, xrefs: 06F20627
~, xrefs: 06F205C6

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID: :$~
API String ID: 0-2431124681
Opcode ID: e24d6bbd24a0125aeab73098e158bbde4194a1d3bd92bb017a457ae26866cae4
Instruction ID: d11227e33594ce5b509c1f21f14be25a5410c6b5bbdf8a3c7b7dde5af15e8711
Opcode Fuzzy Hash: e24d6bbd24a0125aeab73098e158bbde4194a1d3bd92bb017a457ae26866cae4
Instruction Fuzzy Hash: B542F276E00229DFDB55CFA8C984B99BBB2FF48304F1580E9E509AB261DB319D91CF50

Function 06F2C5E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32185f4d75af8f860d58e34029b2893b048dc7a94271a5edbc481b1c1e82769d
Instruction ID: ac517c75375b368a484efcdd3b275141cbc4da51517b535025875945aeb722d5
Opcode Fuzzy Hash: 32185f4d75af8f860d58e34029b2893b048dc7a94271a5edbc481b1c1e82769d
Instruction Fuzzy Hash: 70E12D74E042698FDB54DF99C580AAEFBF2FF89304F248269D414AB355D731A982CF60

Function 06F2E3E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817e0ec4484d925a6548d15eaaaac57007d322eeb1e972337b4b2da1b6542eae
Instruction ID: 918bd898be5ee8558bde17040634e0e9c84f4432e794f8acacb5a79df5b16c85
Opcode Fuzzy Hash: 817e0ec4484d925a6548d15eaaaac57007d322eeb1e972337b4b2da1b6542eae
Instruction Fuzzy Hash: 7DE12D74E042698FDB54DFA9C580AAEFBF2FF89304F248269D414AB355D731A942CF60

Function 06F2C1A8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c52128432e61c51af554b08baaf65a3abbb23f25ea7f1bcee19e413d502d84
Instruction ID: e89b3bafd4607b02c416c2576372446ba2fd5869a3975f355b4fd723f80a9e4c
Opcode Fuzzy Hash: 32c52128432e61c51af554b08baaf65a3abbb23f25ea7f1bcee19e413d502d84
Instruction Fuzzy Hash: CAE11A74E042698FDB54DFA8D580AAEBBF2FF89304F248159D414AB355D731AD42CFA0

Function 06F2BD70 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da85e424c53db8bdd785f8b480cf80d646bd679109c00fb5c9ba0bb1f8ee61a
Instruction ID: 65fed1c1b71c31e29ab88ce3dd02e58a280950f916ae14a72e6f1b2cc75c19f4
Opcode Fuzzy Hash: 9da85e424c53db8bdd785f8b480cf80d646bd679109c00fb5c9ba0bb1f8ee61a
Instruction Fuzzy Hash: DBE11D74E042698FDB54DFA9D580AAEFBF2FF88304F248259D414AB355D731A982CF60

Function 06F2CA18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3998c029d1e1b5eb1782e6a2d87beb3a6be0316e4b6e5a82985b1c6912fe9a4a
Instruction ID: 76cfbdc1184370ba74ffaf0dc3d8e07c3c4ff1bd0b4cff3f107d093d4e106909
Opcode Fuzzy Hash: 3998c029d1e1b5eb1782e6a2d87beb3a6be0316e4b6e5a82985b1c6912fe9a4a
Instruction Fuzzy Hash: 72E13C74E042698FDB54DFA9D580AAEFBF2FF89304F248169D414AB315D731A942CFA0

Function 06F23550 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12bb2de14a6bce9eb85eaf3d1f9d6aa752cdd0280e75d0520db39792fc29ebb
Instruction ID: f8cd87c10a31c089448543493b6696d369ad1278fae48274a66eac7e2162cb93
Opcode Fuzzy Hash: e12bb2de14a6bce9eb85eaf3d1f9d6aa752cdd0280e75d0520db39792fc29ebb
Instruction Fuzzy Hash: 83D11535D2475ACADB01EF64D990AE9B7B2FF95300F10979AD10A3B214FB706AC4CB91

Function 0281CFA4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2196082239.0000000002810000.00000040.00000800.00020000.00000000.sdmp, Offset: 02810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2810000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837ee388adfc90bcf42a2f0205d799f1d9cf577acefbf518009747d1a17a0008
Instruction ID: 1f7ebbf934bf591c98b25f474492c155791c66f98f2ab93996bcfab76702993f
Opcode Fuzzy Hash: 837ee388adfc90bcf42a2f0205d799f1d9cf577acefbf518009747d1a17a0008
Instruction Fuzzy Hash: 77A17E3AE102098FCF09DFB8C94059EB7B6FF84304B15856AE905EB2A1DB35E915CF80

Function 06F23560 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90ed2ea1a713ddee26dc20af60f250be507437df4ca0738b9650d1e0b5fdd88
Instruction ID: 302effd25525c60baeb0e375e97a9e920beca7de3c2a51a9a4d41e13ebd15894
Opcode Fuzzy Hash: b90ed2ea1a713ddee26dc20af60f250be507437df4ca0738b9650d1e0b5fdd88
Instruction Fuzzy Hash: 20D1F535D2475ACADB01EF64D990AE9B7B2FF95300F10979AD10A3B214FB706AC4CB91

Function 06F2C5DA Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08700c5874faaa5222ac6e3b85e992fe871b2d0e6de9550d4a0f93f01fcd3874
Instruction ID: 89dff718678fc1f01ff11a2ed105caf8a9ad1f6d4587b5523ad97762752d054a
Opcode Fuzzy Hash: 08700c5874faaa5222ac6e3b85e992fe871b2d0e6de9550d4a0f93f01fcd3874
Instruction Fuzzy Hash: CE511A74E042698FDB54DFA9C5805AEFBF6FF89300F248169D418AB315D7319942CFA1

Function 06F2E3DA Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d887a835ef78042278569b5a4e03ae1859900c21c3e248b6f27cc417689a25d
Instruction ID: 687311e21eabd11eab93ae461a2d65fcf04373637b83f9ede8d1a7865a9a453f
Opcode Fuzzy Hash: 9d887a835ef78042278569b5a4e03ae1859900c21c3e248b6f27cc417689a25d
Instruction Fuzzy Hash: 95512A74E0426A8FDB54DFA9C5805AEFBF6FF89300F248169D418AB316D7319942CFA1

Function 06F20398 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2202428478.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f20000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d97b9c5990b7370647ab934a67e6a4c3b2787ed29318ef1ea22a3c6ee24f8d
Instruction ID: 04c36dd9373ae1c8b8e3674b1c37a7f393f35e503681e04b00683b79425fdf0d
Opcode Fuzzy Hash: 36d97b9c5990b7370647ab934a67e6a4c3b2787ed29318ef1ea22a3c6ee24f8d
Instruction Fuzzy Hash: 4441A971E016298BEB68CF6BCC407CABBF3AFC9200F14C1A9D509A7254EB705985CF51

Function 07890007 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2203039179.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7890000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0f62972025f2e1b6ae23a02bfe3a40e0e213594870f4e4cc2baac7c9a7c9f3
Instruction ID: 0ac2ab1535e279a7f7ae630b7e56bd2a880701b64308be9a706e3104d73b3233
Opcode Fuzzy Hash: 6b0f62972025f2e1b6ae23a02bfe3a40e0e213594870f4e4cc2baac7c9a7c9f3
Instruction Fuzzy Hash: A93110B1D093598FEB15CF668C147D9BBF6AF96304F08C0F6C448AA251E7740A85CF51

Analysis Process: nuevo orden.exePID: 6256, Parent PID: 5172COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.4%
Total number of Nodes:	32
Total number of Limit Nodes:	4

Executed Functions

Function 011170B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0111712F

Memory Dump Source

Source File: 00000005.00000002.3417204912.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1110000_nuevo orden.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: e7d05a41be06b10b009b1bd9fe3e136ecaad9f39d65a06f7c37fe25a38d6ad36
Instruction ID: 483d0719ce9136e0165bab77c64f70f10981d0bc58db5e020d4c9f3546bb1c47
Opcode Fuzzy Hash: e7d05a41be06b10b009b1bd9fe3e136ecaad9f39d65a06f7c37fe25a38d6ad36
Instruction Fuzzy Hash: 8F2139B1800259CFDB14CF9AD984BEEFBF4AF48320F14846AE559A3350D778A944CF61

Function 06A6F858 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3441963775.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a60000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023e463b9655eeed8601bc7603d69f97fdee7924e3d11f537a0bfa0c61a077be
Instruction ID: 7f0f5bc54f6f6cbac7dc70fd2f23b6ba30f825d00d4becd84e6be9d1eb314d45
Opcode Fuzzy Hash: 023e463b9655eeed8601bc7603d69f97fdee7924e3d11f537a0bfa0c61a077be
Instruction Fuzzy Hash: 70413632D0439A9FCB04DF7AD80069EBBF5EF88210F14856AE504AB351DB749841CBD1

Function 0111EEF8 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111EF87

Memory Dump Source

Source File: 00000005.00000002.3417204912.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1110000_nuevo orden.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8564c973e4ce5f6d0ac4eeb977b719f0112033d49b15e45b2d8707e001f960d6
Instruction ID: c507e1b8fdcf5ebf3881ca095721e560c0044de4d18a9f1b964897bc6184c976
Opcode Fuzzy Hash: 8564c973e4ce5f6d0ac4eeb977b719f0112033d49b15e45b2d8707e001f960d6
Instruction Fuzzy Hash: 0B414775900259AFCB01CF99D844ADEBFFAFF88314F14806AFA58A7310D335A950CBA0

Function 011170B0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0111712F

Memory Dump Source

Source File: 00000005.00000002.3417204912.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1110000_nuevo orden.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: dd321606ed449a5c649fd882da6bfc74809b29f811c7455f26e48883ee0e33c5
Instruction ID: b63840667867e7764b523aa880539b5d6e2ec3d263ff78e649a7493927e25d6d
Opcode Fuzzy Hash: dd321606ed449a5c649fd882da6bfc74809b29f811c7455f26e48883ee0e33c5
Instruction Fuzzy Hash: AC214A718002598FDB14CF9AD9447EEFBF4AF48320F14855AE455B3390D7789944CF60

Function 0111EF00 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0111EF87

Memory Dump Source

Source File: 00000005.00000002.3417204912.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1110000_nuevo orden.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9d23c003dcadb49453718dc7ce3ca0fe19e9daab65877cdaf68cf8a7e5b9cb7d
Instruction ID: 4bed4a86a56598a38045352e19f6ab9d194f531d2e4dbbda31706ce0780d3aaf
Opcode Fuzzy Hash: 9d23c003dcadb49453718dc7ce3ca0fe19e9daab65877cdaf68cf8a7e5b9cb7d
Instruction Fuzzy Hash: 0F21E3B59002499FDB10CF9AD984ADEFFF4EB48320F14801AE918A3350D378A950CFA1

Function 0111AD69 Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 0111ADE0

Memory Dump Source

Source File: 00000005.00000002.3417204912.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1110000_nuevo orden.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 3664b00e71535d0580fb2e2897607d7666ce96f206942222be6ca2ba856fa69f
Instruction ID: 9c007218edfdab9d58ef26c4edbe1a87002d2fc82768e158c158041d2dfbc948
Opcode Fuzzy Hash: 3664b00e71535d0580fb2e2897607d7666ce96f206942222be6ca2ba856fa69f
Instruction Fuzzy Hash: 282127B2C0065A9FDB14CF9AD54479EFBB4FF48720F10812AD918A7240D778A950CFA5

Function 0111AD70 Relevance: 1.6, APIs: 1, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000), ref: 0111ADE0

Memory Dump Source

Source File: 00000005.00000002.3417204912.0000000001110000.00000040.00000800.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1110000_nuevo orden.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d9f566bb7bede78acc9c8fbdda50729c9f40f08dcc19df76a4dfca030ebd1056
Instruction ID: f9c5ff4b3ba2ec6efd25bcf321935f05c0b5fc23e975a7c51521469bc564447c
Opcode Fuzzy Hash: d9f566bb7bede78acc9c8fbdda50729c9f40f08dcc19df76a4dfca030ebd1056
Instruction Fuzzy Hash: 5C1133B2C00A5A9FDB14CF9AD544B9EFBB4FF48720F10812AD918A7240D778A950CFA1

Function 06A6EFE4 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06A6F8AA), ref: 06A6F997

Memory Dump Source

Source File: 00000005.00000002.3441963775.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a60000_nuevo orden.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 4a1a678f3752128ac2dc46b998a57171be4ee3b6d78ddb81e4914f81003bfa4a
Instruction ID: 48fe3c8b3f54d7574c3d4aaa6b2ac51760146bf88db0bf68cda8b62442538293
Opcode Fuzzy Hash: 4a1a678f3752128ac2dc46b998a57171be4ee3b6d78ddb81e4914f81003bfa4a
Instruction Fuzzy Hash: 141133B2C0065A9FCB10DF9AD544B9EFBF4EF48224F10812AE918A7240D378A950CFA5

Function 06A6F928 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06A6F8AA), ref: 06A6F997

Memory Dump Source

Source File: 00000005.00000002.3441963775.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6a60000_nuevo orden.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b9b4d8c839742fb4e03e9dad642ad09206aa3e4ba9b1fe1c7fed1544779e2202
Instruction ID: 4f9f73c30e53c79c094e9c657096381981aaa8322f0b4d1f23626aeed31c7699
Opcode Fuzzy Hash: b9b4d8c839742fb4e03e9dad642ad09206aa3e4ba9b1fe1c7fed1544779e2202
Instruction Fuzzy Hash: 641147B1C0065ADFCB10DFAAD544BDEFBB4AF48324F14815AE918B7241D778A950CFA1

Function 010CD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3416601008.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10cd000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026a07e2a9d74c11b4e07d0b427bcbc8ad9a2bf7c0c9d1b6050eebe77c9e8e57
Instruction ID: 054ab4f6130a422831493b282518ecb18ae939801a3f245e9f257dfb4f704679
Opcode Fuzzy Hash: 026a07e2a9d74c11b4e07d0b427bcbc8ad9a2bf7c0c9d1b6050eebe77c9e8e57
Instruction Fuzzy Hash: A7210371504204EFDB15DF98D9C0B2ABBA1EB84B14F30C5BEE9890A252C376D446CFA1

Function 010CD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3416601008.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10cd000_nuevo orden.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 6e6e37d502b735769a4af7b9ff3918352dda63abc19397fc35de23d670619bee
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 1011BE75504284DFCB12CF58D5C0B19BBA2FB84714F24C6AEE8894B657C33AD44ACFA1

Analysis Process: ZUHFqcY.exePID: 356, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	199
Total number of Limit Nodes:	6

Executed Functions

Function 073DE9A4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073DEBE6

Strings

mW, xrefs: 073DE9EB
mW, xrefs: 073DEA1A

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: CreateProcess
String ID: mW$mW
API String ID: 963392458-2417662838
Opcode ID: 93114ce0e5f1a3a891250a3f990282bdf8af64d9dbdd5d4ef3d56e76ce042842
Instruction ID: d13b64c7de1e8ebac189eb0564978822e5ef58042b9c9b975af33c19b87262db
Opcode Fuzzy Hash: 93114ce0e5f1a3a891250a3f990282bdf8af64d9dbdd5d4ef3d56e76ce042842
Instruction Fuzzy Hash: E9A14DB2D1021ADFEB24DF68D841BDDBBB2BF48310F148569E849AB240DB749D85CF91

Function 073DE9B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073DEBE6

Strings

mW, xrefs: 073DE9EB
mW, xrefs: 073DEA1A

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: CreateProcess
String ID: mW$mW
API String ID: 963392458-2417662838
Opcode ID: 730970f2c674fdc3e04e843ee3841d66c1e1e51b342112a313b0374e4db4207e
Instruction ID: 30414b596af5a1e7bb3fdabe78faf451a4a777f30c44ae9a6a4f3ea969883dce
Opcode Fuzzy Hash: 730970f2c674fdc3e04e843ee3841d66c1e1e51b342112a313b0374e4db4207e
Instruction Fuzzy Hash: B9914DB1D0021ADFEB24DF68D8417DDBBB2BF48310F148569E849AB240DB749985CF91

Function 00F6A9E8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F6AC3E

Strings

mW, xrefs: 00F6ABF7

Memory Dump Source

Source File: 00000006.00000002.2317882682.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f60000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID: mW
API String ID: 4139908857-3395524699
Opcode ID: 651549cb0103fae44a0b16cb0296cd6884ec27f184355900d7d97d682c847dc4
Instruction ID: be07649ad0429d060e4dbdd614b0f7c84eaefa6d140556786479c2be7d8fe8ba
Opcode Fuzzy Hash: 651549cb0103fae44a0b16cb0296cd6884ec27f184355900d7d97d682c847dc4
Instruction Fuzzy Hash: C4711170A00B058FDB24DF69D54175ABBF1FB88310F008A2AD48AA7A50DB78E945DF91

Function 073DE2EB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073DE380

Strings

mW, xrefs: 073DE30F

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: mW
API String ID: 3559483778-3395524699
Opcode ID: 30ab9873da1cc621a9e9de6ee93ca8ba4a072fe9c65453f3543d67eda105faeb
Instruction ID: 9f4b6e2c2aa3fd40d5cc871ca26e0d1ad60fd27ea664712dca57d691515968a4
Opcode Fuzzy Hash: 30ab9873da1cc621a9e9de6ee93ca8ba4a072fe9c65453f3543d67eda105faeb
Instruction Fuzzy Hash: D02137B290034A9FDB10CFA9C881BEEBBF4BF48310F108429E919A7240C7799950CBA4

Function 073DE2F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073DE380

Strings

mW, xrefs: 073DE30F

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: mW
API String ID: 3559483778-3395524699
Opcode ID: 05b57d73b60dd4040cc30828bd90d9eb2d3980b4c7e221e7cf0226ae2ce3add5
Instruction ID: 3f136ea26df65951f6adfacc550e986aa4b31421800060d97320830145706f8e
Opcode Fuzzy Hash: 05b57d73b60dd4040cc30828bd90d9eb2d3980b4c7e221e7cf0226ae2ce3add5
Instruction Fuzzy Hash: F4212AB29003499FDF10CFA9C881BEEBBF5FF48710F108429E918A7240C7799950CBA4

Function 073DE810 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073DE898

Strings

mW, xrefs: 073DE837

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessRead
String ID: mW
API String ID: 1726664587-3395524699
Opcode ID: 39b4fb8110cddf7a5f3911718d21c7a782885bb0c9b5f8da6876c274ff8614b1
Instruction ID: 6c5b45aba1cefa71876c9918e4f789b3002f9ca38c5242e5a368e9e537df03d2
Opcode Fuzzy Hash: 39b4fb8110cddf7a5f3911718d21c7a782885bb0c9b5f8da6876c274ff8614b1
Instruction Fuzzy Hash: 292119B1D0134A9FDB10DFA9C881AEEBBF5FF48710F148829E519A7240C7799950CB65

Function 00F6B3D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F6D286,?,?,?,?,?), ref: 00F6D347

Strings

mW, xrefs: 00F6D2DF

Memory Dump Source

Source File: 00000006.00000002.2317882682.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f60000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID: mW
API String ID: 3793708945-3395524699
Opcode ID: 74cf708949dea30e8a526b9de5face882c0d313e68cdadfa1bc1e1ec72d0e09c
Instruction ID: 519de785c0d47e6f801cd462e30c131710ee808e64a5d01b14d3670764c084df
Opcode Fuzzy Hash: 74cf708949dea30e8a526b9de5face882c0d313e68cdadfa1bc1e1ec72d0e09c
Instruction Fuzzy Hash: 5221E5B5D00209EFDB10CF9AD984ADEBBF8EB48320F14841AE914A3310D374A950CFA5

Function 073DE153 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073DE1D6

Strings

mW, xrefs: 073DE174

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: ContextThreadWow64
String ID: mW
API String ID: 983334009-3395524699
Opcode ID: ee4603f2df6da7117e6a7e34623698bd54a57af3efe6968830784b11e6443261
Instruction ID: 3d800d0483bfe0cee3cde34d7a54c45f3e4e3188996675332195ae8caa238e96
Opcode Fuzzy Hash: ee4603f2df6da7117e6a7e34623698bd54a57af3efe6968830784b11e6443261
Instruction Fuzzy Hash: 31211AB1D003099FEB10DFAAC885BEEBBF4EF88324F148429D519A7241D7789944CFA5

Function 073DE158 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073DE1D6

Strings

mW, xrefs: 073DE174

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: ContextThreadWow64
String ID: mW
API String ID: 983334009-3395524699
Opcode ID: 3a73f5656ff7d0f098210fc0fc90660fe1396ca8c7aaca1ef415ca433ea232dc
Instruction ID: d209a38fd7f833eac51ebfbb8ce731da721b3cd7dc72145b76a9096bc4b2f334
Opcode Fuzzy Hash: 3a73f5656ff7d0f098210fc0fc90660fe1396ca8c7aaca1ef415ca433ea232dc
Instruction Fuzzy Hash: 24211AB1D003099FEB10DFAAC8857AEBBF4AF48714F148429D519A7241D7789944CFA5

Function 073DE818 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073DE898

Strings

mW, xrefs: 073DE837

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessRead
String ID: mW
API String ID: 1726664587-3395524699
Opcode ID: 20f388181176efb9122bfa2e247e753fc99c0d34eacfe8b792e75a434456e1be
Instruction ID: 44da99cc8dbb1ff95f236146bc89978fdb52c217a8e2a54917e59c7d6f1daccf
Opcode Fuzzy Hash: 20f388181176efb9122bfa2e247e753fc99c0d34eacfe8b792e75a434456e1be
Instruction Fuzzy Hash: 0D2116B1C003499FDB10DFAAC881AEEBBF5FF48710F108829E518A7240C7799950CBA5

Function 00F6D2BB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F6D286,?,?,?,?,?), ref: 00F6D347

Strings

mW, xrefs: 00F6D2DF

Memory Dump Source

Source File: 00000006.00000002.2317882682.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f60000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID: mW
API String ID: 3793708945-3395524699
Opcode ID: 7538418450f535982e430b9f953fbb9c9a67386a1d0fd664247514043654de46
Instruction ID: 95cdc84957f9edbb37cdea7e2937a9068af441629c99007639db5381fb6c43b6
Opcode Fuzzy Hash: 7538418450f535982e430b9f953fbb9c9a67386a1d0fd664247514043654de46
Instruction Fuzzy Hash: 5F21C2B5D00209DFDB10CFAAD984ADEBBF9FB48320F14841AE918A7350D379A954CF65

Function 073DE22B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073DE29E

Strings

mW, xrefs: 073DE247

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: AllocVirtual
String ID: mW
API String ID: 4275171209-3395524699
Opcode ID: cfee80d4c9bb0b176600acc9f955704c0d761e1ca7511352ec4f8aa774dca35e
Instruction ID: 83c54717621c0f03ad86321440af9ce0af76a8940ca2a377d784a5f5bb235a20
Opcode Fuzzy Hash: cfee80d4c9bb0b176600acc9f955704c0d761e1ca7511352ec4f8aa774dca35e
Instruction Fuzzy Hash: 7A1159729003499FDB10DFA9C945BDFBBF5AF88310F148819E519A7250D7759910CFA1

Function 00F694D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00F6954D

Strings

mW, xrefs: 00F694FF

Memory Dump Source

Source File: 00000006.00000002.2317882682.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f60000_ZUHFqcY.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: mW
API String ID: 2492992576-3395524699
Opcode ID: fe05479deb556eaab4655658a6583c25a2df10d66b4a9b60fcf2bf284d6694ed
Instruction ID: 9c6a755043a6f5d4862523662470a4e32eeb23dc33a3646a2902602ad5711209
Opcode Fuzzy Hash: fe05479deb556eaab4655658a6583c25a2df10d66b4a9b60fcf2bf284d6694ed
Instruction Fuzzy Hash: E52103B1808389CFDB11CF99D9043EEBFF4EB05718F144099C599A7242C3B9AA05DFA5

Function 073DE230 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073DE29E

Strings

mW, xrefs: 073DE247

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: AllocVirtual
String ID: mW
API String ID: 4275171209-3395524699
Opcode ID: 62bf587408c1c52f870b4c38125f338f47640bc6b0cf81e3bad44785497462f6
Instruction ID: 3542394fd4a7cf07846257c03fcb845d6b6f5254f88184e42bd3263a968a8fa1
Opcode Fuzzy Hash: 62bf587408c1c52f870b4c38125f338f47640bc6b0cf81e3bad44785497462f6
Instruction Fuzzy Hash: 4E1156728003499FDB10DFAAC845BDEBBF5AF88320F108819E519A7250C775A910CFA1

Function 073DE0A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 073DE10A

Strings

mW, xrefs: 073DE0BF

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: ResumeThread
String ID: mW
API String ID: 947044025-3395524699
Opcode ID: 79aeb93b785a94b7bfd535bcfc22f1d246ea32051caa52c42c4c5de50cde5e81
Instruction ID: 7742af11ec683af89c3612286bbf65b3d99cc468719cf253130cf2ec11987709
Opcode Fuzzy Hash: 79aeb93b785a94b7bfd535bcfc22f1d246ea32051caa52c42c4c5de50cde5e81
Instruction Fuzzy Hash: A8115BB1D0034A8FDB20DFAAC94579EFBF4AF88720F248819D519A7240C779A944CB95

Function 073DE0A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073DE10A

Strings

mW, xrefs: 073DE0BF

Memory Dump Source

Source File: 00000006.00000002.2323599975.00000000073D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_73d0000_ZUHFqcY.jbxd

Similarity

API ID: ResumeThread
String ID: mW
API String ID: 947044025-3395524699
Opcode ID: 143902655f6f29354c5529783ce28ff194aebf35a4bb629ea1dbab33920be306
Instruction ID: 8088a3cf41a3b95ab527ebe7eb095e18e1d2c7a8371bbf339d3088db4a7d897c
Opcode Fuzzy Hash: 143902655f6f29354c5529783ce28ff194aebf35a4bb629ea1dbab33920be306
Instruction Fuzzy Hash: CF113AB1D003498FDB10DFAAC84579EFBF4EF88724F248819D519A7240CB79A940CF95

Function 00F694E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00F6954D

Strings

mW, xrefs: 00F694FF

Memory Dump Source

Source File: 00000006.00000002.2317882682.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f60000_ZUHFqcY.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: mW
API String ID: 2492992576-3395524699
Opcode ID: b05b70e4967c8831c5123c0aa578cef00b26249fdca7e9aa435699c9fca16e33
Instruction ID: 06d2df98f4d6c959a27b51fc589cc1b2f49d967585d0aba7b37ff05449db59e6
Opcode Fuzzy Hash: b05b70e4967c8831c5123c0aa578cef00b26249fdca7e9aa435699c9fca16e33
Instruction Fuzzy Hash: 9D11BFB1808789CFDB11CF99D9053EEBFF8EB04714F148059D559A3242C3B9AA04DFA5

Function 00F6ABD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F6AC3E

Strings

mW, xrefs: 00F6ABF7

Memory Dump Source

Source File: 00000006.00000002.2317882682.0000000000F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f60000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID: mW
API String ID: 4139908857-3395524699
Opcode ID: 1cb3c4937647b7ee95af4171f5153406eff30aafe903b745683a312e473de78a
Instruction ID: 51bc89b3677efb855e1ecd16357684aa7a43f73538a9cdce8144f36eb65b0782
Opcode Fuzzy Hash: 1cb3c4937647b7ee95af4171f5153406eff30aafe903b745683a312e473de78a
Instruction Fuzzy Hash: 24110FB6C003498FDB10CF9AC544A9EFBF8AB88324F10841AD828B7200C3B9A545CFA5

Function 06E911F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06E9125D

Strings

mW, xrefs: 06E9121A

Memory Dump Source

Source File: 00000006.00000002.2323300559.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e90000_ZUHFqcY.jbxd

Similarity

API ID: MessagePost
String ID: mW
API String ID: 410705778-3395524699
Opcode ID: 38682740a24e7e0e6d5496c1eab0277183e2a894e3e5e67a4905d2b64deb6563
Instruction ID: 0773cfb4b311836977152a635c3c1f59c4568ceff09a3baf578c00713563f4c8
Opcode Fuzzy Hash: 38682740a24e7e0e6d5496c1eab0277183e2a894e3e5e67a4905d2b64deb6563
Instruction Fuzzy Hash: D011F2B58003499FDB10DF99D985BDEBBF8EB48320F20841AE918A7200C375AA54CFA0

Function 06E91200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06E9125D

Strings

mW, xrefs: 06E9121A

Memory Dump Source

Source File: 00000006.00000002.2323300559.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e90000_ZUHFqcY.jbxd

Similarity

API ID: MessagePost
String ID: mW
API String ID: 410705778-3395524699
Opcode ID: d43145fb179f72737881fad5eccb56fd636f8a81a5411958fb15bbe23a902c38
Instruction ID: 4b4a9b6c57775a27f0619b5dc1316a9333208738c1c56812327740b6d051b36d
Opcode Fuzzy Hash: d43145fb179f72737881fad5eccb56fd636f8a81a5411958fb15bbe23a902c38
Instruction Fuzzy Hash: 8D11D3B58003499FDB10DF9AD985BDEFBF8EB48724F20841AD518A7200D3B5A554CFA5

Function 06E92933 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 06E92990

Strings

mW, xrefs: 06E92952

Memory Dump Source

Source File: 00000006.00000002.2323300559.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e90000_ZUHFqcY.jbxd

Similarity

API ID: CloseHandle
String ID: mW
API String ID: 2962429428-3395524699
Opcode ID: 452c03f6d2a20e5bb5e57f0ced68ce75e8f4203597851efa97766e0c81ebca2d
Instruction ID: da4f3cbc42c7cf68cc97d33bba0dd92004ea7f57194ab011309f20d4572d4c62
Opcode Fuzzy Hash: 452c03f6d2a20e5bb5e57f0ced68ce75e8f4203597851efa97766e0c81ebca2d
Instruction Fuzzy Hash: F111E3B58007499FDB10DF9AC945BDEBBF8EF48320F10841AD958A7240D779A644CBA5

Function 06E92938 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 06E92990

Strings

mW, xrefs: 06E92952

Memory Dump Source

Source File: 00000006.00000002.2323300559.0000000006E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6e90000_ZUHFqcY.jbxd

Similarity

API ID: CloseHandle
String ID: mW
API String ID: 2962429428-3395524699
Opcode ID: 2bc4d29098f7b4c5c2720e254953083495255f9b2b1103af7027cdd149b5c357
Instruction ID: 160759c484e0beca324d48f78de36aeb5a58c36dab4650f88f046a5548010930
Opcode Fuzzy Hash: 2bc4d29098f7b4c5c2720e254953083495255f9b2b1103af7027cdd149b5c357
Instruction Fuzzy Hash: 1211F2B5C003499FDB10DF9AC545BDEBBF4EF48320F20841AD958A7240D779A644CFA5

Function 00C8D0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2316019613.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c8d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff6ddb07ba8424d39e5494cc5d1b60523cd3f0a0a11289e52b9e5ffb94e750f
Instruction ID: 3068ee07f3b6df73c44209e9e812bfc9c55cde2db597600bcb81f979127dd881
Opcode Fuzzy Hash: 9ff6ddb07ba8424d39e5494cc5d1b60523cd3f0a0a11289e52b9e5ffb94e750f
Instruction Fuzzy Hash: 1521F275504304EFDB04EF14D9C8B2ABBA5FF84328F20C56DE90A4B296C77AD846CB61

Function 00C8D294 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2316019613.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c8d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b92c0c29f42972901f05c0557f444f8091baed6fe8e324b9a59ddb43e9e1678
Instruction ID: 1c831ddad6afb91d1cb8d787b6091f3ecb2ae8195c3491498565238a2acab70e
Opcode Fuzzy Hash: 6b92c0c29f42972901f05c0557f444f8091baed6fe8e324b9a59ddb43e9e1678
Instruction Fuzzy Hash: 5721F575504204EFDB04EF14D5C0B26BBB5FB84728F24C56DE90A4B2A2C77AD846CB66

Function 00C8D28F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2316019613.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c8d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 387ca7b63bbfaedba5eb04c6bac4df40b0b0c25636a388c6193ba98f4184c066
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: CB119D75504284DFCB05DF10D5C4B19BFB2FB84328F24C6A9D84A4B6A6C33AD94ACB62

Function 00C7D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2315955968.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c7d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08adebbfe76dda84d21be663a106a2d59ba089a05d7bf1e418f050a06bd6fbcd
Instruction ID: 25694bbe296c9ba2d0086fc764a19dfa2a5fd6eef17ad1d2f419acf35cdb631c
Opcode Fuzzy Hash: 08adebbfe76dda84d21be663a106a2d59ba089a05d7bf1e418f050a06bd6fbcd
Instruction Fuzzy Hash: BD01F2714043409AE7184A2ADD80B66BFA8EF41320F18C41AED1E4A28AC7B99840C6B1

Function 00C7D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2315955968.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_c7d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301d3245d9af514620273b09fc02664bc120c4171e9ccb26bff0a7351f6b3a2e
Instruction ID: fd56f7cef4cbd4fe2ebb637a8ecd1fd6edd1b4fe5d233aadad84815e770d154f
Opcode Fuzzy Hash: 301d3245d9af514620273b09fc02664bc120c4171e9ccb26bff0a7351f6b3a2e
Instruction Fuzzy Hash: F4F0C2714043449EE7148A06DCC4B62FFACEF51734F18C45AED1D0E286C379A840CAB1

Analysis Process: ZUHFqcY.exePID: 5268, Parent PID: 356COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	92.9%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	2

Executed Functions

Function 0667F858 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3442743268.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6670000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c4bcefc7bf7123c8eef00b4978f40a79fb3e389e545dcf5456257557dbb112
Instruction ID: 43a2238c043b4298f881c7ea80f450aefdebde12c2e9875e153d7471bb91da51
Opcode Fuzzy Hash: f9c4bcefc7bf7123c8eef00b4978f40a79fb3e389e545dcf5456257557dbb112
Instruction Fuzzy Hash: 69412272D043999FCB04CFBAD8006AEBBF5AFC9210F1485AAD508E7341DB789845CBE1

Function 00F970B0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00F9712F

Memory Dump Source

Source File: 00000007.00000002.3419955097.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f90000_ZUHFqcY.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: c5dd9fd1c72476cc1f6acbfa8164a17fdfe4bb4b29036772b856dca73eece444
Instruction ID: 01c7a0fc7ed76c2db00e9a253fdc971e1da533b33a6c5d5e55e18b7f5634d1bb
Opcode Fuzzy Hash: c5dd9fd1c72476cc1f6acbfa8164a17fdfe4bb4b29036772b856dca73eece444
Instruction Fuzzy Hash: 91213971900359CFDB04CFAAD4847EEBBF4AF48320F14845EE459A7250D778A944CF60

Function 00F9EDC8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9EE57

Memory Dump Source

Source File: 00000007.00000002.3419955097.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f90000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: df4a4b7bef686ce496c30531a16c3ca4ddee889b7e07b342ef9be40ea6c29878
Instruction ID: 3cdcce5cc529a605fcd11dd18c1ac0e9500521d7ec1ae2028e6a89879b5c56bc
Opcode Fuzzy Hash: df4a4b7bef686ce496c30531a16c3ca4ddee889b7e07b342ef9be40ea6c29878
Instruction Fuzzy Hash: 1D2105B5D00248AFDB10CFAAD884ADEBFF8FB48320F14801AE918A3350D375A950CF64

Function 00F970B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00F9712F

Memory Dump Source

Source File: 00000007.00000002.3419955097.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f90000_ZUHFqcY.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: d0cab74a140c30c359d309c5bb71de80a3eb01d2d1d86e51c07abd4c219fce44
Instruction ID: cfea4eb7a12210bc039fb4ab7609fe7c871d579d3ec5fa17bd0be46ebff48a2b
Opcode Fuzzy Hash: d0cab74a140c30c359d309c5bb71de80a3eb01d2d1d86e51c07abd4c219fce44
Instruction Fuzzy Hash: 962125B28003598FDB14CFAAD884BEEBBF4AF48320F14845AE459A3250D778A944CF61

Function 00F9EDD0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9EE57

Memory Dump Source

Source File: 00000007.00000002.3419955097.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f90000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9f3eddc28b352bd8d8045cf09ac401002cd4767c555c227b5ca06b0652dc1c0d
Instruction ID: 7660cca0e1aaf8263d1d3c32c9d5f5c8eb2767ca75ac542f0ea13d21e38a04e5
Opcode Fuzzy Hash: 9f3eddc28b352bd8d8045cf09ac401002cd4767c555c227b5ca06b0652dc1c0d
Instruction Fuzzy Hash: 5221E3B5D002099FDB10CFAAD984ADEBBF4FB48320F14841AE918A3210D379A950CF64

Function 0667EFC0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0667F8AA), ref: 0667F997

Memory Dump Source

Source File: 00000007.00000002.3442743268.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6670000_ZUHFqcY.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 9af90678edd1d3ee8794651bb904d04ebd9dbc326db2fea6b167afdc34f8f11d
Instruction ID: 82dbf61ff701d03b4802aa350e943f992764499489f26fe27ff82178e4624a0a
Opcode Fuzzy Hash: 9af90678edd1d3ee8794651bb904d04ebd9dbc326db2fea6b167afdc34f8f11d
Instruction Fuzzy Hash: B61133B1C0065A9FCB10CFAAC444B9EFBF4BF48220F10812AE918A7240D378A910CFA5

Function 0667F928 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0667F8AA), ref: 0667F997

Memory Dump Source

Source File: 00000007.00000002.3442743268.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6670000_ZUHFqcY.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 5c2c71fe3e54a941fc405c6c8d71239ef21804b25c854c19f3f4e2fa868fd8b9
Instruction ID: d5318c1e86a7efd481f613b2ac22e9b6b9c991d5a8ebb8dde7633efb7e70600c
Opcode Fuzzy Hash: 5c2c71fe3e54a941fc405c6c8d71239ef21804b25c854c19f3f4e2fa868fd8b9
Instruction Fuzzy Hash: 641136B1C0065A9FDB10CF9AC944BDEFBF4BF48324F10815AE518A7240D778A954CFA5

Function 00CCD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3416570450.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ccd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71e232b27502a9a5dff602f2a2bff60a7b5db4c26df2930c68dce796b3a38a9
Instruction ID: b5c3e83412d077f8281046f2a09e7371c404c3036a85b6b5f848a5b1e1fbe3b8
Opcode Fuzzy Hash: e71e232b27502a9a5dff602f2a2bff60a7b5db4c26df2930c68dce796b3a38a9
Instruction Fuzzy Hash: EF21D075504244EFDB14DF18D9C0F26BBA5EB84314F24C5BDD90A4A292C77AD846CA62

Function 00CCD005 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3416570450.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ccd000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f269e984bca6b5cf8dafae82a4541c93f3404a4e70b73a7b87a563436c2c5245
Instruction ID: 5a8cdfea321b078383d42db0b147c1684abe3115de211bb4fe27490958679b2d
Opcode Fuzzy Hash: f269e984bca6b5cf8dafae82a4541c93f3404a4e70b73a7b87a563436c2c5245
Instruction Fuzzy Hash: A621307550D3C09FD713CF24C990B15BF71AB46214F29C5EBD8898F6A7C23A980ACB62

Analysis Process: ZUHFqcY.exePID: 1280, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	216
Total number of Limit Nodes:	10

Executed Functions

Function 0099D078 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0099D0F6
GetCurrentThread.KERNEL32 ref: 0099D133
GetCurrentProcess.KERNEL32 ref: 0099D170
GetCurrentThreadId.KERNEL32 ref: 0099D1C9

Memory Dump Source

Source File: 00000009.00000002.2394287652.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_990000_ZUHFqcY.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a1d9e1d78c42bf557aef53adda5c212036d08e06d6a2785a7ba5ee0af78e6546
Instruction ID: 0e492a0014968f5523baab0e324a848e2717e36650abecd813238f6293afd497
Opcode Fuzzy Hash: a1d9e1d78c42bf557aef53adda5c212036d08e06d6a2785a7ba5ee0af78e6546
Instruction Fuzzy Hash: B05178B1911349CFDB18CFAAD988B9EBBF1FF88314F208419E109A7260DB749944CF65

Function 0709E9A4 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0709EBE6

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1cc3553dc91d378fe84ed40e56fd98758bfe05a986589b7aaeafd95652c2229f
Instruction ID: 4c6c94bd08ace629bfa7bbda7cbf3f5d1c0fe10eadaef2b0483eae90cb792076
Opcode Fuzzy Hash: 1cc3553dc91d378fe84ed40e56fd98758bfe05a986589b7aaeafd95652c2229f
Instruction Fuzzy Hash: 83A13BB2D0061ADFEF24CF68C84179EBBF2BF48310F148669E849A7250DB749985DF91

Function 0709E9B0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0709EBE6

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a7c5848d8316407e544a036bc759c02dfde22d4c823f0269ec5159f83ba5b11c
Instruction ID: b70d77d1150cef9e8a3d376f09e266359162d34227fbf33a2a7d914868c9bac2
Opcode Fuzzy Hash: a7c5848d8316407e544a036bc759c02dfde22d4c823f0269ec5159f83ba5b11c
Instruction Fuzzy Hash: 8E913AB2D0061ADFEF24CF68C84179EBBF2BF48310F148669E849A7250DB749985DF91

Function 0099A9E8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0099AC3E

Memory Dump Source

Source File: 00000009.00000002.2394287652.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_990000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d8de7a0793260ed2d54ee7af115cc1e1a64656db89b3a37a12b75a91e4d2245c
Instruction ID: ef005266c8987a6da73208bb63c12aa89e2e0209a8f441d54c0db4876b9ec29d
Opcode Fuzzy Hash: d8de7a0793260ed2d54ee7af115cc1e1a64656db89b3a37a12b75a91e4d2245c
Instruction Fuzzy Hash: F6713570A00B058FDB24DF69D54575ABBF6FF88300F108A2DE48ADBA50DB75E845CB92

Function 0709E2E8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0709E380

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 73fd52930c5e843e3cb8cf61a14f246de6f8c07ef2a2e9b0d64a6a31f67b58c2
Instruction ID: 15afce7e3722c0d13d392ba9786d952956d21c96a50d67688b851c3dc586235e
Opcode Fuzzy Hash: 73fd52930c5e843e3cb8cf61a14f246de6f8c07ef2a2e9b0d64a6a31f67b58c2
Instruction Fuzzy Hash: B32126B290135A9FDF10CFA9C885BDEBBF1BF48310F10852AE919A7240D7789954DBA0

Function 0709E2F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0709E380

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 76f62cb2fac1523dd59926e4c8be8f3ff50cbf191077c605a958db83f714e23b
Instruction ID: 6c01a260ace981e41d7f2fe9aac12b34ba397a0d4fc956500e01ec00d6a75d41
Opcode Fuzzy Hash: 76f62cb2fac1523dd59926e4c8be8f3ff50cbf191077c605a958db83f714e23b
Instruction Fuzzy Hash: DF2126B290034A9FDF10CFAAC885BDEBBF5FF48310F108529E918A7240D7789954DBA5

Function 0709E810 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0709E898

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4cc57e2753dce9ac12de96e91aef64770b03aba52df41ca2e33fa31bf59b5252
Instruction ID: 1aee22121cc459f22f765b3b17e273446cd770ac04433ebd31c20aa337d42a06
Opcode Fuzzy Hash: 4cc57e2753dce9ac12de96e91aef64770b03aba52df41ca2e33fa31bf59b5252
Instruction Fuzzy Hash: A921F8B1C003499FDB10DF99C881AEEFBF5FF48310F14842AE519A7240C7749955DBA5

Function 0709E151 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0709E1D6

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9b37a699d5b2a93a9e4939aa93ecc6cd16de072a0519262f8013ac9da4415cdd
Instruction ID: 731d265711088b1ebc2d746d4bfd130d1c0a9a4e839acfb04b310f5960f99c93
Opcode Fuzzy Hash: 9b37a699d5b2a93a9e4939aa93ecc6cd16de072a0519262f8013ac9da4415cdd
Instruction Fuzzy Hash: 222139B2D003099FDB10DFAAC8857EEBBF4AF48310F14842AD559A7241C7789944CFA1

Function 0709E158 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0709E1D6

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f5d9d5b09d054280b69d97caab14ad4e406ac74c65c5ee56f86f2a832ee23c52
Instruction ID: 229071ea5af4e7a496dbab9a2dd67a16eb3b4b0fc6ce532f6bf22d7e87d483dd
Opcode Fuzzy Hash: f5d9d5b09d054280b69d97caab14ad4e406ac74c65c5ee56f86f2a832ee23c52
Instruction Fuzzy Hash: 32211AB1D003099FDB10DFAAC8857EEBBF4AF48314F14842AD519A7341D7789944CFA5

Function 0709E818 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0709E898

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7c0505b0094f065a475b5f5c36a8b84c0f76547c25f907327bda7da4f139296f
Instruction ID: f0db3c55a1c7fe40fbab4629189e29bb361d8634eaffe17cf507fd0a58ac152d
Opcode Fuzzy Hash: 7c0505b0094f065a475b5f5c36a8b84c0f76547c25f907327bda7da4f139296f
Instruction Fuzzy Hash: 952105B1C003499FDF10DFAAC881AEEBBF5FF48310F10882AE518A7240C7789954DBA5

Function 0099D2C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0099D347

Memory Dump Source

Source File: 00000009.00000002.2394287652.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_990000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 82cd46f886e30592e75aba19f58dba5ec7f2f16778b8d5406fc4959af0784a73
Instruction ID: 535b9dc75b386433a8912c5da4d158d1d116d4732e7d0ccf5d669f182a892c68
Opcode Fuzzy Hash: 82cd46f886e30592e75aba19f58dba5ec7f2f16778b8d5406fc4959af0784a73
Instruction Fuzzy Hash: 4621E3B59002099FDB10CF9AD984ADEBBF8EB48320F14841AE918A3210D378A954CFA1

Function 0709E228 Relevance: 1.6, APIs: 1, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0709E29E

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 783e07c3c5f69487167f575ad782b58097c96e8ac603cb985e8acfa797100302
Instruction ID: 35fe367ec98ff0ffba450eaacac88b9b97e37cead4f6a7a782f6a0e9dcb2d78e
Opcode Fuzzy Hash: 783e07c3c5f69487167f575ad782b58097c96e8ac603cb985e8acfa797100302
Instruction Fuzzy Hash: BF2167B290024A9FDF20DFAAC845BDFBBF5EF88320F148819E519A7250C7759910DFA1

Function 0709E0A0 Relevance: 1.6, APIs: 1, Instructions: 54
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 0709E10A

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: da2122305c489fa26eec2c75a1ad6e6f02315c1213d1ab56555c7ee594be31c1
Instruction ID: 7fc229506a82a61a53cbb2b5db9bab5e5f4ac282727d89b6fb2126a6405026fc
Opcode Fuzzy Hash: da2122305c489fa26eec2c75a1ad6e6f02315c1213d1ab56555c7ee594be31c1
Instruction Fuzzy Hash: 8C1149B19003498FDB20DFAAC845BDFFBF4AF88620F248819D559A7240CB75A944CFA5

Function 0709E230 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0709E29E

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0a2fafa6b54eed0fadfd16f804a11ceababcb618db4376a105fe092e02f50cd4
Instruction ID: 09b91e8cacade2105f46acbf14f3601596f940fab43b0bb0cf5178a1b7896245
Opcode Fuzzy Hash: 0a2fafa6b54eed0fadfd16f804a11ceababcb618db4376a105fe092e02f50cd4
Instruction Fuzzy Hash: BC11567280024A9FDF10DFAAC845BDEBBF5AF88320F148819E519A7250C775A914CFA1

Function 06C311F8 Relevance: 1.6, APIs: 1, Instructions: 50
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 06C3125D

Memory Dump Source

Source File: 00000009.00000002.2414075097.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_ZUHFqcY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 61740cc86d2b3f1250f3fbf4c7638ab9468992b7acb235e57f1af69dc7a40ec3
Instruction ID: b4a637ad8a55a113e3c2e8866f417844d02d5595ed4b490c876630c91d81acd9
Opcode Fuzzy Hash: 61740cc86d2b3f1250f3fbf4c7638ab9468992b7acb235e57f1af69dc7a40ec3
Instruction Fuzzy Hash: 5711E3B58003599FDB10DF9AD985BDEBFF8EB49320F148419E518A7601C3B5A544CFA1

Function 009994E8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0099954D

Memory Dump Source

Source File: 00000009.00000002.2394287652.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_990000_ZUHFqcY.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 527d0777865c4a1010d26a0feadafcff6fae2306c7c6b39cc22f776ab07c2bb2
Instruction ID: a85c2d50a6b18d793d39cf469f31894be396bcd3136bd510a05d86cabf1ec7c3
Opcode Fuzzy Hash: 527d0777865c4a1010d26a0feadafcff6fae2306c7c6b39cc22f776ab07c2bb2
Instruction Fuzzy Hash: EA119DB1808789CEDB11CF99D4047DEBFF8AB04314F50809DD559A3242C3B9AA48CFA2

Function 009994E0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0099954D

Memory Dump Source

Source File: 00000009.00000002.2394287652.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_990000_ZUHFqcY.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: fd410784995e018363450ceb87280c26a8c37bd9532e1921155776462afbb974
Instruction ID: 78c9f11f63e9a15b0846ef4e29c03a18ae52fea7978b55d2a46758553a2101c5
Opcode Fuzzy Hash: fd410784995e018363450ceb87280c26a8c37bd9532e1921155776462afbb974
Instruction Fuzzy Hash: 3E11BEB1808789CEDB11CF99D4047DEBFF4EB04314F14809DD599A3241C3786644CFA2

Function 0709E0A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0709E10A

Memory Dump Source

Source File: 00000009.00000002.2415054842.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7090000_ZUHFqcY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fb128eff2f67c942f1a39e274c48fd8aa163a214da33e4bedffca3a379d2e050
Instruction ID: 83e39cb5377b7f1f2babb1bd0585d50230f9a83e78ce07b530c32b3cb33b80e7
Opcode Fuzzy Hash: fb128eff2f67c942f1a39e274c48fd8aa163a214da33e4bedffca3a379d2e050
Instruction Fuzzy Hash: 781128B1D00349CFDB10DFAAC84579EFBF4AF88624F248819D519A7240CB79A944CFA5

Function 0099ABD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0099AC3E

Memory Dump Source

Source File: 00000009.00000002.2394287652.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_990000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7a763bb668fc0e5e203a31c9214005c5424a080f1a54c03ee27d190368d79e9a
Instruction ID: daea6fd51f935c66f4cf9ca96652361f3e0840d0ad0a3c7725cd4de7a39e3825
Opcode Fuzzy Hash: 7a763bb668fc0e5e203a31c9214005c5424a080f1a54c03ee27d190368d79e9a
Instruction Fuzzy Hash: 471102B5C007498FDB10CF9AD544BDEFBF4EB88324F10841AD458A7210D3B9A545CFA1

Function 06C31200 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06C3125D

Memory Dump Source

Source File: 00000009.00000002.2414075097.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_ZUHFqcY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 615d4d780301d6bfc2b50ce931b62a16d583ebc7a5166d780b60f5974a5aa636
Instruction ID: e4419f5d5e6114fcb827238d238d52d483b0b9d0a3f3ee9f2e986878f848e37b
Opcode Fuzzy Hash: 615d4d780301d6bfc2b50ce931b62a16d583ebc7a5166d780b60f5974a5aa636
Instruction Fuzzy Hash: 9811D3B58003499FDB10DF9AD985BDEFBF8EB48320F14841AD518A7600C3B5A544CFA5

Function 06C32930 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 06C32990

Memory Dump Source

Source File: 00000009.00000002.2414075097.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_ZUHFqcY.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4480f5e3afc2bdd636090df30db0db159d6fab09bfe0e069b27a91c627fdd398
Instruction ID: b5966a8f66dc32eea23a703fab37d3e1d0fa8d23d8a04bccfe9802dca6305af8
Opcode Fuzzy Hash: 4480f5e3afc2bdd636090df30db0db159d6fab09bfe0e069b27a91c627fdd398
Instruction Fuzzy Hash: 041113B58047498FDB10DFAAD845BDEFBF4EF48320F20841AD558A7240D778A644CFA5

Function 06C32938 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 06C32990

Memory Dump Source

Source File: 00000009.00000002.2414075097.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c30000_ZUHFqcY.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: dc0162fe9a6f1e8f84852fee264bd66b188ae1a2353b21ab45f3a7a46806ec3c
Instruction ID: 6f9b42666c938d975f343e43087ba15a439789419f107736d27d64bcbc98389f
Opcode Fuzzy Hash: dc0162fe9a6f1e8f84852fee264bd66b188ae1a2353b21ab45f3a7a46806ec3c
Instruction Fuzzy Hash: 7C1103B5C00749CFDB50DF9AC545BDEBBF4EB48320F20841AD558A7240D778A644CFA5

Function 0093D294 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2394072675.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_93d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8793cbf04e22b7e8b49142c4b6ded7677d053cc8efa2a1c857e75c587eebd02
Instruction ID: 7a549dbc2cc502df1f3e849ad614dd70dbae440ae949796da8f903dc8b9ceea0
Opcode Fuzzy Hash: b8793cbf04e22b7e8b49142c4b6ded7677d053cc8efa2a1c857e75c587eebd02
Instruction Fuzzy Hash: 12212675604204EFDB04DF14E9D0B26BBA5FB84718F24C96DD90A4B252C77ADC46CE62

Function 0093D0DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2394072675.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_93d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e5a8497d421810097b6ccd47df3a0f731b98a6536c5d8f1e112c0362eca7a6
Instruction ID: ab84dd0c9362faf27de5f5cd419009d331058540ad670de74bd9721b59cd08ca
Opcode Fuzzy Hash: 53e5a8497d421810097b6ccd47df3a0f731b98a6536c5d8f1e112c0362eca7a6
Instruction Fuzzy Hash: 7A2137B5508304EFDB08DF50E9D0B26BB65FB84314F20C56DD9090B256C37BD846CE61

Function 0093D28F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2394072675.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_93d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: c53aaadab64832de5bc45bb09fe037bbbf6add22b2f09e29bd2b77ef6beeb53d
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 68119D75504284DFCB06CF10E5D4B19BFB1FB84318F24C6A9D8494B656C33AD84ACF62

Function 0092D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2393769557.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_92d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a910fcbcb5e309f1f78f9d71e0c96e7313f732af3acde614a7b5fa4bc189c5a
Instruction ID: 6df57d22a29343918ea56a746a8a990dc3d9889938bb3e8aa21a634266c056f5
Opcode Fuzzy Hash: 4a910fcbcb5e309f1f78f9d71e0c96e7313f732af3acde614a7b5fa4bc189c5a
Instruction Fuzzy Hash: 620126B1006350DAF7104A25ED80B66FFDCEF41320F18C81AED084A28AC7BC9840CBB1

Function 0092D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2393769557.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_92d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c05530d7f80ae19f5dde11cace7a8970013b11f57941b043b171045bdfd4cb
Instruction ID: 9944bba82331ced6b8d7a49df202c8140522dc94a01420694d610e86af14f26b
Opcode Fuzzy Hash: 40c05530d7f80ae19f5dde11cace7a8970013b11f57941b043b171045bdfd4cb
Instruction Fuzzy Hash: 54F0C2B14053549EE7108A06EC84B62FFECEF50724F18C45AED080B28AC379A840CBB1

Analysis Process: ZUHFqcY.exePID: 5344, Parent PID: 1280COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	117
Total number of Limit Nodes:	14

Executed Functions

Function 0695E578 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3442752429.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f266550f42b56efacd18af3bca36875801cba96f02baac6240a8e587ef4ebe3
Instruction ID: e4ea4a53c7505427d5bb10054ced6d5b012a173e2b6bc58c3f1691ee3be8adc3
Opcode Fuzzy Hash: 1f266550f42b56efacd18af3bca36875801cba96f02baac6240a8e587ef4ebe3
Instruction Fuzzy Hash: B7F18F30E00309CFEB54DFA9C854B9DBBF5FF88314F258568E805AB665DB71AA45CB80

Function 069570F0 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06957356

Memory Dump Source

Source File: 0000000A.00000002.3442752429.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fd16a100c7bac7c9a6c8f6624d4233f383ffe02d3bd3156d322dbbe6e4d3c78a
Instruction ID: f476ab66cd5338f2d727a48451971e5af77d912174af601494d85584bfb693ec
Opcode Fuzzy Hash: fd16a100c7bac7c9a6c8f6624d4233f383ffe02d3bd3156d322dbbe6e4d3c78a
Instruction Fuzzy Hash: 8B816570A00B058FDB64DFA9D45479ABBF6FF88210F10892DD88ADBA50DB74E905CB90

Function 06A2F858 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3443035794.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a20000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab7db9df0308c9b390446d1bb74b9991bc3435cdb1008f83ec1692e98bfaf05
Instruction ID: 88e1d08053b6fac9f363958203b612aa15587fb0ed9f876a4955fbb60478a287
Opcode Fuzzy Hash: 9ab7db9df0308c9b390446d1bb74b9991bc3435cdb1008f83ec1692e98bfaf05
Instruction Fuzzy Hash: D5412372D0435A8FCB04DFBAD8006DEFBF5AF89210F158A6AD544A7241EB749845CBD1

Function 06959271 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069593E2

Memory Dump Source

Source File: 0000000A.00000002.3442752429.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_ZUHFqcY.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 808e995fe61b25cd818fd05cab66f8bab6f8d9a75d99d8eec89602dd560c2744
Instruction ID: 8a5ec69596f640dbd57c643f9c17ca44f11680ea03e0edba8f92e290dfbbfcbc
Opcode Fuzzy Hash: 808e995fe61b25cd818fd05cab66f8bab6f8d9a75d99d8eec89602dd560c2744
Instruction Fuzzy Hash: 4B51AFB1D00359DFEB14CF99C884ADEBBB5BF88310F25852AE819AB250D775A845CF90

Function 069592C5 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069593E2

Memory Dump Source

Source File: 0000000A.00000002.3442752429.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_ZUHFqcY.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7fa44d31c31ce04e3e4194158336dde5921043aaa1aecd4ac120b5ed5d7b451c
Instruction ID: 9ec7e4fe7cd29e0064059bcb16156eb1614f9810eafd0c6dba1fa62f9f57ab6d
Opcode Fuzzy Hash: 7fa44d31c31ce04e3e4194158336dde5921043aaa1aecd4ac120b5ed5d7b451c
Instruction Fuzzy Hash: 9451BFB1D00359DFDB14CF9AC884ADEBBB5FF88310F25852AE819AB250D775A845CF90

Function 069592D0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069593E2

Memory Dump Source

Source File: 0000000A.00000002.3442752429.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_ZUHFqcY.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 35c09d124d5fc6ad54c24586fed7ec4337aae49ca6cccecea1c4c726b8e36454
Instruction ID: dc29c1ce8be0780f684b43d2db3acf170ee4a98a345a1cb967563cd126476c50
Opcode Fuzzy Hash: 35c09d124d5fc6ad54c24586fed7ec4337aae49ca6cccecea1c4c726b8e36454
Instruction Fuzzy Hash: 2441B0B1D00349DFDF14CF9AC884ADEBBB5BF88310F25852AE819AB250D7759845CF90

Function 069567AC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0695BAE1

Memory Dump Source

Source File: 0000000A.00000002.3442752429.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_ZUHFqcY.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 49a1e0c060c88c5ddf10bc98d93a0e548ea0ef5a2e6502748e73da2f9bc7526c
Instruction ID: 8859ed4a992595eb8032c37cd5974d6595f88419cf072245191362b17b0200b7
Opcode Fuzzy Hash: 49a1e0c060c88c5ddf10bc98d93a0e548ea0ef5a2e6502748e73da2f9bc7526c
Instruction Fuzzy Hash: 384127B4900309CFDB54CF99C498AAABBF5FF88324F25C459D919AB325D774A841CBA0

Function 011F70B0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011F712F

Memory Dump Source

Source File: 0000000A.00000002.3417335292.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11f0000_ZUHFqcY.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: e2fd612b359ff334c480659b05662e83b533abd2208e06b2f52563bbeca8b52f
Instruction ID: 9dc2d7aab29111f00edf8ef3a362ec8875488cc20b2f0da5d3fc24a9e675a288
Opcode Fuzzy Hash: e2fd612b359ff334c480659b05662e83b533abd2208e06b2f52563bbeca8b52f
Instruction Fuzzy Hash: 9D2136B1C002598FDB54CF9AD484BEEBBF4AF48324F24852AE959B3250D778A944CF60

Function 011FEDC8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011FEE57

Memory Dump Source

Source File: 0000000A.00000002.3417335292.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11f0000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 16f11de64bc02b47a655da182aaa3516d10a8aab7ce144155f7d8fc2a30ead3f
Instruction ID: f114caa1af2b78a35867de8f335aba44827c3b7cbd3d80312751d0b4984db008
Opcode Fuzzy Hash: 16f11de64bc02b47a655da182aaa3516d10a8aab7ce144155f7d8fc2a30ead3f
Instruction Fuzzy Hash: F121F2B59002189FDB10CFAAD984ADEBBF5FF48320F10841AE958A3350D375A950CFA0

Function 011F70B8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011F712F

Memory Dump Source

Source File: 0000000A.00000002.3417335292.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11f0000_ZUHFqcY.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: af88da3bd95e1150dae73702f290bd58e2e4b1458ef97da547f118a79bf6afb5
Instruction ID: 96909626d5c22d72285f6913d0eac5910ef994a1cb570e7c15d2c677863cca9d
Opcode Fuzzy Hash: af88da3bd95e1150dae73702f290bd58e2e4b1458ef97da547f118a79bf6afb5
Instruction Fuzzy Hash: F42125B28002598FDB14CF9AD884BEEFBF5AF49320F14845AE959A3250D778A944CF61

Function 011FEDD0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011FEE57

Memory Dump Source

Source File: 0000000A.00000002.3417335292.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11f0000_ZUHFqcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8f709cd1970be64795575d41b5e8582cbf8eefd9ff81cc7be73de113be1e33b2
Instruction ID: c83f76186ac6551727e6391069720f3354849dd2932c09883cf6cacc712d3cf2
Opcode Fuzzy Hash: 8f709cd1970be64795575d41b5e8582cbf8eefd9ff81cc7be73de113be1e33b2
Instruction Fuzzy Hash: 8621E3B59002099FDB10CF9AD984ADEBBF5FB48320F14841AE918A3210D374A950CF60

Function 06A2EFC0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06A2F8AA), ref: 06A2F997

Memory Dump Source

Source File: 0000000A.00000002.3443035794.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a20000_ZUHFqcY.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0f8f8da4e1ed17d8858a2acff70382e70cfdd48f2f4d7ab6c99bfc7233529099
Instruction ID: 9efd3fa5054d01bc0a4b52473d202d11dc101fafab6dec06ad823aa775c00f3a
Opcode Fuzzy Hash: 0f8f8da4e1ed17d8858a2acff70382e70cfdd48f2f4d7ab6c99bfc7233529099
Instruction Fuzzy Hash: A21147B1C0065A9FCB10DF9AC544B9EFBF4BF48620F10812AD918B7240D378A910CFA5

Function 06A2F928 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06A2F8AA), ref: 06A2F997

Memory Dump Source

Source File: 0000000A.00000002.3443035794.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6a20000_ZUHFqcY.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 61c17a8aabf9052e990a6c65169db724cfb156ea925189293a11aa2f1559517b
Instruction ID: 6f5d327f57119de0fe02ec4072ff20051e7a0dd1ad9b4fbf521a3a469cb43f22
Opcode Fuzzy Hash: 61c17a8aabf9052e990a6c65169db724cfb156ea925189293a11aa2f1559517b
Instruction Fuzzy Hash: C01136B1C0065A9FCB10CF9AC544BDEFBF4BF48720F11856AD918A7240D778A954CFA1

Function 069572F0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 06957356

Memory Dump Source

Source File: 0000000A.00000002.3442752429.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_ZUHFqcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2b4e1f3a00c5e2db0c34dd3218071354d26efc99596f5ae347f64c235271487e
Instruction ID: bd31f8139517d0986912fefe50c1c5355795ec0b1b986fabda72a97c2e150a3f
Opcode Fuzzy Hash: 2b4e1f3a00c5e2db0c34dd3218071354d26efc99596f5ae347f64c235271487e
Instruction Fuzzy Hash: 0011E3B5C007498FDB10CF9AD444BDEFBF4AF88624F15841AD819B7610D375A545CFA1

Function 0695D118 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0695DFAD

Memory Dump Source

Source File: 0000000A.00000002.3442752429.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_ZUHFqcY.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c797c7d5c445a9a62490680a11f92d5df641293ad81925aeddfcf37d1138aeda
Instruction ID: 0922b07f9c8a103a53261c6ee7a658620eeb712c4c583111b4073a12c5f9ea4d
Opcode Fuzzy Hash: c797c7d5c445a9a62490680a11f92d5df641293ad81925aeddfcf37d1138aeda
Instruction Fuzzy Hash: 7C1103B18047498FDB50DF9AD448B9EBBF8EF48220F208459E919A7610D378A944CFA5

Function 0695DF50 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0695DFAD

Memory Dump Source

Source File: 0000000A.00000002.3442752429.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6950000_ZUHFqcY.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a6d470cc6c1ff6149e7fde8d54ed606da5382d5b979fc5dc430bf9c925b4f59d
Instruction ID: 5e9f7c4dc60646235dd7769f6fa095a847be542e25262a19db23f5c873a62220
Opcode Fuzzy Hash: a6d470cc6c1ff6149e7fde8d54ed606da5382d5b979fc5dc430bf9c925b4f59d
Instruction Fuzzy Hash: C41133B58003488FCB10DF9AD444BDEBFF4EF48220F208419E918A7600C374A544CFA5

Function 0108D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3416540360.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_108d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d9bd28142d89af90926bdff61de9e586fe36df9e35c9385b3d927c853e9420
Instruction ID: c323895ab4745acfb47f682c1a9c9cb41e45e595100e14ba5145c87b12caf44b
Opcode Fuzzy Hash: 95d9bd28142d89af90926bdff61de9e586fe36df9e35c9385b3d927c853e9420
Instruction Fuzzy Hash: 6E212571508204EFDB15EF94D9C0B2ABBA1FB84314F20C6ADE9894B292C776D447CF62

Function 0108D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3416540360.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_108d000_ZUHFqcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 4f6dc057aac6b53e3997b3d6f9f757b3a37d1d9e1b20a7fd8650b56c0f715e40
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: A211BE75508284DFCB12DF54D5C0B15BBA2FB84314F24C6AAE8894B697C33AD44BCF61

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nuevo orden.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZUHFqcY.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nuevo orden.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gronkilf.uie.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l104djgz.owj.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0owurjf.x0c.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytuyx3ok.f53.psm1

C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe

C:\Users\user\AppData\Roaming\ZUHFqcY\ZUHFqcY.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
nuevo orden.exe

Function 06F2E9A4 Relevance: 1.8, APIs: 1, Instructions: 252
processCOMMON

Function 06F2E9B0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0281A9E8 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 06F2E2E8 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Function 06F2E2F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 06F2E810 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 0281D2BA Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 0281B3D0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 06F2E152 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre