Edit tour

Windows Analysis Report
PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Overview

General Information

Sample name:	PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Analysis ID:	1585874
MD5:	934331eda0b472009322a97523b5bfdd
SHA1:	0af4e8f64595d302ba3c5b277403230b73277eaa
SHA256:	1466c1e6bd4b88ad92eac2240158c6516b8601fc59fc4260711c20e269ba17cb
Tags:	exeuser-adrian__luca
Infos:

Detection

AsyncRAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe (PID: 5308 cmdline: "C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe" MD5: 934331EDA0B472009322A97523B5BFDD)

powershell.exe (PID: 764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6888 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3508 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 5484 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

DpmrYeeDGcj.exe (PID: 4136 cmdline: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe MD5: 934331EDA0B472009322A97523B5BFDD)

schtasks.exe (PID: 3428 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpA9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vbc.exe (PID: 5624 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "ergsea.ydns.eu", "Port": "7393", "Version": "0.5.8", "MutexName": "0Yn3xzTdlCbn", "Autorun": "false", "Group": "null"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1612004323.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9781:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.1613736255.0000000005B00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1612004323.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x18cef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x241cf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2fd43:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1a038:$a2: Stub.exe 0x1a0c8:$a2: Stub.exe 0x25518:$a2: Stub.exe 0x255a8:$a2: Stub.exe 0x31098:$a2: Stub.exe 0x31128:$a2: Stub.exe 0x15aff:$a3: get_ActivatePong 0x20fdf:$a3: get_ActivatePong 0x2cb53:$a3: get_ActivatePong 0x18f07:$a4: vmware 0x243e7:$a4: vmware 0x2ff5b:$a4: vmware 0x18d7f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x2425f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x2fdd3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1684e:$a6: get_SslClient 0x21d2e:$a6: get_SslClient 0x2d8a2:$a6: get_SslClient
00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x1ecdb:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x6c2b7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x77e73:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x20024:$a2: Stub.exe 0x200b4:$a2: Stub.exe 0x6d600:$a2: Stub.exe 0x6d690:$a2: Stub.exe 0x791c8:$a2: Stub.exe 0x79258:$a2: Stub.exe 0x1baeb:$a3: get_ActivatePong 0x690c7:$a3: get_ActivatePong 0x74c83:$a3: get_ActivatePong 0x1eef3:$a4: vmware 0x6c4cf:$a4: vmware 0x7808b:$a4: vmware 0x1ed6b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x6c347:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x77f03:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1c83a:$a6: get_SslClient 0x69e16:$a6: get_SslClient 0x759d2:$a6: get_SslClient
Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x67a38:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: vbc.exe PID: 5484	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: DpmrYeeDGcj.exe PID: 4136	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: DpmrYeeDGcj.exe PID: 4136	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DpmrYeeDGcj.exe PID: 4136	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2cbf0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: vbc.exe PID: 5624	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: vbc.exe PID: 5624	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xe37b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7aef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d07:$a4: vmware 0x7b7f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x564e:$a6: get_SslClient
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x48ff:$str01: get_ActivatePong 0x564e:$str02: get_SslClient 0x566a:$str03: get_TcpClient 0x3f14:$str04: get_SendSync 0x3f64:$str05: get_IsConnected 0x4693:$str06: set_UseShellExecute 0x7e25:$str07: Pastebin 0x7ea7:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7bff:$str10: timeout 3 > NUL 0x7aef:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7b7f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7b81:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7aef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d07:$a4: vmware 0x7b7f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x564e:$a6: get_SslClient
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x48ff:$str01: get_ActivatePong 0x564e:$str02: get_SslClient 0x566a:$str03: get_TcpClient 0x3f14:$str04: get_SendSync 0x3f64:$str05: get_IsConnected 0x4693:$str06: set_UseShellExecute 0x7e25:$str07: Pastebin 0x7ea7:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7bff:$str10: timeout 3 > NUL 0x7aef:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7b7f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7b81:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7aef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d07:$a4: vmware 0x7b7f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x564e:$a6: get_SslClient
9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x48ff:$str01: get_ActivatePong 0x564e:$str02: get_SslClient 0x566a:$str03: get_TcpClient 0x3f14:$str04: get_SendSync 0x3f64:$str05: get_IsConnected 0x4693:$str06: set_UseShellExecute 0x7e25:$str07: Pastebin 0x7ea7:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7bff:$str10: timeout 3 > NUL 0x7aef:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7b7f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7b81:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.vbc.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
12.2.vbc.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.vbc.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98ef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x9b07:$a4: vmware 0x997f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744e:$a6: get_SslClient
12.2.vbc.exe.400000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66ff:$str01: get_ActivatePong 0x744e:$str02: get_SslClient 0x746a:$str03: get_TcpClient 0x5d14:$str04: get_SendSync 0x5d64:$str05: get_IsConnected 0x6493:$str06: set_UseShellExecute 0x9c25:$str07: Pastebin 0x9ca7:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x99ff:$str10: timeout 3 > NUL 0x98ef:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x997f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
12.2.vbc.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x9981:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
9.2.DpmrYeeDGcj.exe.27d4400.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.DpmrYeeDGcj.exe.27d4400.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x7aef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x8e38:$a2: Stub.exe 0x8ec8:$a2: Stub.exe 0x48ff:$a3: get_ActivatePong 0x7d07:$a4: vmware 0x7b7f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x564e:$a6: get_SslClient
9.2.DpmrYeeDGcj.exe.27d4400.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x48ff:$str01: get_ActivatePong 0x564e:$str02: get_SslClient 0x566a:$str03: get_TcpClient 0x3f14:$str04: get_SendSync 0x3f64:$str05: get_IsConnected 0x4693:$str06: set_UseShellExecute 0x7e25:$str07: Pastebin 0x7ea7:$str08: Select * from AntivirusProduct 0x8e38:$str09: Stub.exe 0x8ec8:$str09: Stub.exe 0x7bff:$str10: timeout 3 > NUL 0x7aef:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x7b7f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
9.2.DpmrYeeDGcj.exe.27d4400.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x7b81:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98ef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x14dcf:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x20943:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x16118:$a2: Stub.exe 0x161a8:$a2: Stub.exe 0x21c98:$a2: Stub.exe 0x21d28:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x11bdf:$a3: get_ActivatePong 0x1d753:$a3: get_ActivatePong 0x9b07:$a4: vmware 0x14fe7:$a4: vmware 0x20b5b:$a4: vmware 0x997f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x14e5f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x209d3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744e:$a6: get_SslClient 0x1292e:$a6: get_SslClient 0x1e4a2:$a6: get_SslClient
9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66ff:$str01: get_ActivatePong 0x11bdf:$str01: get_ActivatePong 0x1d753:$str01: get_ActivatePong 0x744e:$str02: get_SslClient 0x1292e:$str02: get_SslClient 0x1e4a2:$str02: get_SslClient 0x746a:$str03: get_TcpClient 0x1294a:$str03: get_TcpClient 0x1e4be:$str03: get_TcpClient 0x5d14:$str04: get_SendSync 0x111f4:$str04: get_SendSync 0x1cd68:$str04: get_SendSync 0x5d64:$str05: get_IsConnected 0x11244:$str05: get_IsConnected 0x1cdb8:$str05: get_IsConnected 0x6493:$str06: set_UseShellExecute 0x11973:$str06: set_UseShellExecute 0x1d4e7:$str06: set_UseShellExecute 0x9c25:$str07: Pastebin 0x15105:$str07: Pastebin 0x20c79:$str07: Pastebin
9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98ef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x15463:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x167b8:$a2: Stub.exe 0x16848:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x12273:$a3: get_ActivatePong 0x9b07:$a4: vmware 0x1567b:$a4: vmware 0x997f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x154f3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744e:$a6: get_SslClient 0x12fc2:$a6: get_SslClient
9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66ff:$str01: get_ActivatePong 0x12273:$str01: get_ActivatePong 0x744e:$str02: get_SslClient 0x12fc2:$str02: get_SslClient 0x746a:$str03: get_TcpClient 0x12fde:$str03: get_TcpClient 0x5d14:$str04: get_SendSync 0x11888:$str04: get_SendSync 0x5d64:$str05: get_IsConnected 0x118d8:$str05: get_IsConnected 0x6493:$str06: set_UseShellExecute 0x12007:$str06: set_UseShellExecute 0x9c25:$str07: Pastebin 0x15799:$str07: Pastebin 0x9ca7:$str08: Select * from AntivirusProduct 0x1581b:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x167b8:$str09: Stub.exe 0x16848:$str09: Stub.exe 0x99ff:$str10: timeout 3 > NUL
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98ef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x154ab:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x16800:$a2: Stub.exe 0x16890:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x122bb:$a3: get_ActivatePong 0x9b07:$a4: vmware 0x156c3:$a4: vmware 0x997f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1553b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744e:$a6: get_SslClient 0x1300a:$a6: get_SslClient
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66ff:$str01: get_ActivatePong 0x122bb:$str01: get_ActivatePong 0x744e:$str02: get_SslClient 0x1300a:$str02: get_SslClient 0x746a:$str03: get_TcpClient 0x13026:$str03: get_TcpClient 0x5d14:$str04: get_SendSync 0x118d0:$str04: get_SendSync 0x5d64:$str05: get_IsConnected 0x11920:$str05: get_IsConnected 0x6493:$str06: set_UseShellExecute 0x1204f:$str06: set_UseShellExecute 0x9c25:$str07: Pastebin 0x157e1:$str07: Pastebin 0x9ca7:$str08: Select * from AntivirusProduct 0x15863:$str08: Select * from AntivirusProduct 0xac38:$str09: Stub.exe 0xacc8:$str09: Stub.exe 0x16800:$str09: Stub.exe 0x16890:$str09: Stub.exe 0x99ff:$str10: timeout 3 > NUL
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x98ef:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x56ecb:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x62a87:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xac38:$a2: Stub.exe 0xacc8:$a2: Stub.exe 0x58214:$a2: Stub.exe 0x582a4:$a2: Stub.exe 0x63ddc:$a2: Stub.exe 0x63e6c:$a2: Stub.exe 0x66ff:$a3: get_ActivatePong 0x53cdb:$a3: get_ActivatePong 0x5f897:$a3: get_ActivatePong 0x9b07:$a4: vmware 0x570e3:$a4: vmware 0x62c9f:$a4: vmware 0x997f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x56f5b:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x62b17:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x744e:$a6: get_SslClient 0x54a2a:$a6: get_SslClient 0x605e6:$a6: get_SslClient
0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x66ff:$str01: get_ActivatePong 0x53cdb:$str01: get_ActivatePong 0x5f897:$str01: get_ActivatePong 0x744e:$str02: get_SslClient 0x54a2a:$str02: get_SslClient 0x605e6:$str02: get_SslClient 0x746a:$str03: get_TcpClient 0x54a46:$str03: get_TcpClient 0x60602:$str03: get_TcpClient 0x5d14:$str04: get_SendSync 0x532f0:$str04: get_SendSync 0x5eeac:$str04: get_SendSync 0x5d64:$str05: get_IsConnected 0x53340:$str05: get_IsConnected 0x5eefc:$str05: get_IsConnected 0x6493:$str06: set_UseShellExecute 0x53a6f:$str06: set_UseShellExecute 0x5f62b:$str06: set_UseShellExecute 0x9c25:$str07: Pastebin 0x57201:$str07: Pastebin 0x62dbd:$str07: Pastebin
Click to see the 38 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe", CommandLine: "C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, NewProcessName: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, OriginalFileName: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe", ProcessId: 5308, ProcessName: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe", ParentImage: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, ParentProcessId: 5308, ParentProcessName: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe", ProcessId: 764, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpA9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpA9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe, ParentImage: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe, ParentProcessId: 4136, ParentProcessName: DpmrYeeDGcj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpA9.tmp", ProcessId: 3428, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe", ParentImage: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, ParentProcessId: 5308, ParentProcessName: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp", ProcessId: 3508, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe", ParentImage: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, ParentProcessId: 5308, ParentProcessName: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe", ProcessId: 764, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe", ParentImage: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, ParentProcessId: 5308, ParentProcessName: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp", ProcessId: 3508, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:30:40.757332+0100	2035595	1	Domain Observed Used for C2 Detected	67.203.7.171	7393	192.168.2.8	49712	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:30:40.757332+0100	2035607	1	Domain Observed Used for C2 Detected	67.203.7.171	7393	192.168.2.8	49712	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Avira: detected

Antivirus detection for URL or domain

Source: ergsea.ydns.eu

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe

Avira: detection malicious, Label: HEUR/AGEN.1309493

Found malware configuration

Source: 00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "ergsea.ydns.eu", "Port": "7393", "Version": "0.5.8", "MutexName": "0Yn3xzTdlCbn", "Autorun": "false", "Group": "null"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe

ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Virustotal: Detection: 27%			Perma Link
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Joe Sandbox ML: detected

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 67.203.7.171:7393 -> 192.168.2.8:49712
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 67.203.7.171:7393 -> 192.168.2.8:49712
Source: Network traffic	Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 67.203.7.171:7393 -> 192.168.2.8:49712

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ergsea.ydns.eu

Yara detected Generic Downloader

Source: Yara match	File source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.8:49712 -> 67.203.7.171:7393

Source: Joe Sandbox View

ASN Name: AS-COLOAMUS AS-COLOAMUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ergsea.ydns.eu

Source: vbc.exe, 00000007.00000002.2833489771.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: vbc.exe, 00000007.00000002.2833489771.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp, DpmrYeeDGcj.exe, 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, DpmrYeeDGcj.exe.0.dr	String found in binary or memory: http://tempuri.org/WarehouseDataDataSet.xsdYhttp://tempuri.org/WarehouseDataDataSet1.xsdEkursachForA

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpmrYeeDGcj.exe PID: 4136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5624, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: DpmrYeeDGcj.exe PID: 4136, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: vbc.exe PID: 5624, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_030CD88C	0_2_030CD88C
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_05814060	0_2_05814060
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_05814B20	0_2_05814B20
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_05811B51	0_2_05811B51
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_05811B60	0_2_05811B60
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_07A0D030	0_2_07A0D030
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_07A06520	0_2_07A06520
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_07A0650F	0_2_07A0650F
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_07A05220	0_2_07A05220
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_07A04DE8	0_2_07A04DE8
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_07A049B0	0_2_07A049B0
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Code function: 0_2_07A06958	0_2_07A06958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 7_2_00D665C0	7_2_00D665C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 7_2_00D65CF0	7_2_00D65CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 7_2_00D6A7A8	7_2_00D6A7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 7_2_00D659A8	7_2_00D659A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 7_2_00D66EC0	7_2_00D66EC0
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_025AD88C	9_2_025AD88C
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_04C97718	9_2_04C97718
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_04C94060	9_2_04C94060
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_04C94B11	9_2_04C94B11
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_04C91B60	9_2_04C91B60
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_04C91B28	9_2_04C91B28
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E8C2B0	9_2_06E8C2B0
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E86520	9_2_06E86520
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E8650F	9_2_06E8650F
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E85220	9_2_06E85220
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E84DE8	9_2_06E84DE8
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E849B0	9_2_06E849B0
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E84980	9_2_06E84980
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E86958	9_2_06E86958

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1612004323.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1610280728.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000000.1581705807.0000000000EC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAjiU.exe< vs PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1612004323.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1612004323.00000000042E7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1613736255.0000000005B00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1615989726.0000000007970000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Binary or memory string: OriginalFilenameAjiU.exe< vs PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: DpmrYeeDGcj.exe PID: 4136, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: vbc.exe PID: 5624, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DpmrYeeDGcj.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.raw.unpack, DlRvq5yJkomY4LIf3S.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.raw.unpack, DlRvq5yJkomY4LIf3S.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, Settings.cs	Base64 encoded string: 'Ve0QCyP0PKYe6p7A2M/Lh2ZR2ExFV2wMh3ZsNCuvbVP5z8sDi+s4q5DI9V7GuyarBZntknypLkx+LWlkN0SARA==', 'LYsHXvCEQpu/yP6CrXcanNhq/N/ZUIA8Sjm1B1tVJN1F0la3/ZibZQvny5BrTpZfC9aIBQW25XWdQoYgTdW1vQ==', 'mapUozYfCl9jd6BOdL1FjVfMHpRQuDk6VBbnqUsjhDr/r2G6kzn4ByA0qn0x88X0iw44w2+VFZ2cwMXNOxFcwQ==', 'rZ1gD5QdIVjccca7woGTzwaBccBkzLBXO4f1qHjirwDnt1oxU6cGH/7OytHoZUqQa+mmImoVjmceOLyUcYbIC+O2cboJ5jGWjP8DoXgt4W+x+x9cHJjhGv7nIGZhjGBmsAzEQ0gW80wmCJXruA8AsaJij5OPNoIqxdwJsrRAgwX3w6EarB/agyeuvDQYqL1P2n4mO9/ZtAVRWsVxlr8rCl66k60fCQd+TkU9T75/DQtO/+baxDvGSrLTu78HGfShz879Y9Q4U4epMsW8BVQAoGgxAwweAa/F39/aamusBjOVzzYr/AMmVaTYVBvTUBbHUMLDEtapxc+zq9T3S/m41iUZXRRcTYo2EZYBHhbd5bdyRvVVKslYRij4jZGsLzQ7dPHvO26U3PClsYPDGw+41G+6Q8bo42kH+Ix3IV5gS/IefrRKfB/zY9ISURNhkiN5NOS8NWFJUbkMd8iPgZQ2xqgXLaYC2tdSPbk4+f107eNNyyRyYw1adlKZSL5bSD3J4bVXgYhx3gay3kOFhJb4OVzvaDPtIATby4YivpTUr3LllVkHH8kXNrm4K1GoZzW1VgZB6fd5dNC8NKUYd6/UwRiKyxUr9sMfX2rraw+1cF5nP4pGGVwAX1OQDSACxN2lT5NY+DB9upHtsKloGsVaR9zglMZJpuJmIZk3lkAIXxwajnATRIyw5vQ81GZAgnGzkBJY/iZCCEef+4yjkZSFiB/bssmB13TXTYrqWSM9TFHso+2HggjYP+i6UypIQJRr/CSao4uQvZgpG3/j7Qpr1MSd5NLmDyq3i/CYqbxlDy5/0+dL3CVvi0cNhXAiyQxgrEXgGa0BXF9WjP+pQejNnbuLZKoHb/i3yWEo7YRssxokXV5GPXzLWnXDV+9jXvtPM5nCCSUJP2C4HVuv/6Kb8YKt+w/1aEjCmXrO3r/kce+Ap+RQ5ps8G6nyT3IQop85zMqmcEQbLOu3Ew/wCerqBA5QKh4HebbPqchMp6uv2Mlpp3y3te+w5AVU3cLqRtIedzPMYoOeFysjmjszzblZ8ZCLU2v0lpWDkeQn7mWsm/fFJ6ESH2cGP8BJSDEUo1xY15SbvEqSWBX2GhThvCgT6hw5X78//vFwv2QbJsju+9COcJpmypqevaEFRB3Kv5dZrAGAN/XSn0ZrIm16t7wP2PYbbfVXnep6ZdD124Xp+oe5jaPDOj/hyz+Wl7S068OaxQ1X1SZ68ZmYCYhSvCakKCoW9eSGvHsiaw5tqI1mrF7wIk4WH+scbqj/myLt4NWSFDzBS/r0Zh1MwMxqV4p9X7ASN0VckTXDX5ltqNImFPDER3fCbw58DJSkF9qzcSgFD9f7dp5V9d6ELP68TKgFKlg8WVumvM/Z4rycfX5cgQBOgZATyUatFQ5JcEZJ7vPGLzI86HajrDVADXa8yUDnK7Efpu/Yu30EWDoiYG1ktYkq44tRlNodIBp5xCHpdRI/hMkHQeNqTfluORdIhLqHzsOY5K4exOR6FxpcfYWXpyhUmbDYF7YymE/b978pTwPbiL1VjDMM23ZoDMlFzkEKEZtd4ZuYSaPkq2Ru7VgnDbLzDLk7doYkpy5tK5PjujEQeOagPILSv5yusTmGTyZrx5x6LzRVeNKuRfKLpo7Pa1Z1toWcXeZMqhFXvVmmS60sqlwrbsEcRb8nsh6NpYbVkCALQfstB2ot4wdnNi+3GOQUhUss80Kgcz/vLgrRj7EJ/CTvsPFhLGz8akA2737JGEV6q9o2oc9KuRMUzX5H1A6IST2+eRcs+nwCU37H5IWVa6fEaQISHoMUGjjNM79ucnG3Br3wKPzkjWVGGrzQz1TxR7IcUeorSmVMHE9jg1R7GV3hSs07WTnrgqEC9BnY/taf5A2dh9UBgnipT6WDF19X6jSlDbgv3k3XWwKY8qhhJeIA2pHjZ8x+3HLBGQptIpmP1SgrhwcwnhFQCZa0dKYV+pIvQK9OIYGqsAo7yCdnQv4dzKP+VcwJXNTx09p02dzqv6HjCG98vNSk5/wqcfQgu0efBBUXdJBOzAQFoDdOt20YzcOq3aOBUkN/TXTvAhnvzfqTV93BW9qvLwIuy+Tc/vr9/4HR2GhhULoaS0r35+WwJZKv5ee4Wob8+aqxAdAwor7kB25j7LzqGWJiHjXR4PScOJQyIAJwBhHPoenmLeCib2x+5zHao7WFO7d7ZcQUHV5Dq82XGG4zDNlzHreMOG3utqSZlwps8YZaPtAE3mHhnEWG2GWqok9uOc9Pee8gQngrflbK9TLGRSJnam2qWJyWwarQ8S5MJmAZsIyRGb8JAPjwNWEPnAO8RCituCTKAf+Bnz2p2sy0871psto=', 'RJuliM4GxUEbgYtjVFeHMjOOIVmAjBBrVRJSc23Of5upURQumuZrfe9YmFy59g3z8ZU3U8biks8vAEW65Nwh1w==', 'MH+NyCfbK5JzJMDleIYzJtR4QbUX/5wRQEElglz6bW/iyHWwD+fId5cP4Kr/LDaK9bS28dkgK2QXm7LfjNNUcg==', 'ok7CuwzS/xIaJh/B+pQpOVdaCsbZ6JSX+rSQuWLrnwNi/fWfERfPtmJ9yDgiK0ZMZ/My9gehBnNuO762u6mVWw=='
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, Settings.cs	Base64 encoded string: 'Ve0QCyP0PKYe6p7A2M/Lh2ZR2ExFV2wMh3ZsNCuvbVP5z8sDi+s4q5DI9V7GuyarBZntknypLkx+LWlkN0SARA==', 'LYsHXvCEQpu/yP6CrXcanNhq/N/ZUIA8Sjm1B1tVJN1F0la3/ZibZQvny5BrTpZfC9aIBQW25XWdQoYgTdW1vQ==', 'mapUozYfCl9jd6BOdL1FjVfMHpRQuDk6VBbnqUsjhDr/r2G6kzn4ByA0qn0x88X0iw44w2+VFZ2cwMXNOxFcwQ==', 'rZ1gD5QdIVjccca7woGTzwaBccBkzLBXO4f1qHjirwDnt1oxU6cGH/7OytHoZUqQa+mmImoVjmceOLyUcYbIC+O2cboJ5jGWjP8DoXgt4W+x+x9cHJjhGv7nIGZhjGBmsAzEQ0gW80wmCJXruA8AsaJij5OPNoIqxdwJsrRAgwX3w6EarB/agyeuvDQYqL1P2n4mO9/ZtAVRWsVxlr8rCl66k60fCQd+TkU9T75/DQtO/+baxDvGSrLTu78HGfShz879Y9Q4U4epMsW8BVQAoGgxAwweAa/F39/aamusBjOVzzYr/AMmVaTYVBvTUBbHUMLDEtapxc+zq9T3S/m41iUZXRRcTYo2EZYBHhbd5bdyRvVVKslYRij4jZGsLzQ7dPHvO26U3PClsYPDGw+41G+6Q8bo42kH+Ix3IV5gS/IefrRKfB/zY9ISURNhkiN5NOS8NWFJUbkMd8iPgZQ2xqgXLaYC2tdSPbk4+f107eNNyyRyYw1adlKZSL5bSD3J4bVXgYhx3gay3kOFhJb4OVzvaDPtIATby4YivpTUr3LllVkHH8kXNrm4K1GoZzW1VgZB6fd5dNC8NKUYd6/UwRiKyxUr9sMfX2rraw+1cF5nP4pGGVwAX1OQDSACxN2lT5NY+DB9upHtsKloGsVaR9zglMZJpuJmIZk3lkAIXxwajnATRIyw5vQ81GZAgnGzkBJY/iZCCEef+4yjkZSFiB/bssmB13TXTYrqWSM9TFHso+2HggjYP+i6UypIQJRr/CSao4uQvZgpG3/j7Qpr1MSd5NLmDyq3i/CYqbxlDy5/0+dL3CVvi0cNhXAiyQxgrEXgGa0BXF9WjP+pQejNnbuLZKoHb/i3yWEo7YRssxokXV5GPXzLWnXDV+9jXvtPM5nCCSUJP2C4HVuv/6Kb8YKt+w/1aEjCmXrO3r/kce+Ap+RQ5ps8G6nyT3IQop85zMqmcEQbLOu3Ew/wCerqBA5QKh4HebbPqchMp6uv2Mlpp3y3te+w5AVU3cLqRtIedzPMYoOeFysjmjszzblZ8ZCLU2v0lpWDkeQn7mWsm/fFJ6ESH2cGP8BJSDEUo1xY15SbvEqSWBX2GhThvCgT6hw5X78//vFwv2QbJsju+9COcJpmypqevaEFRB3Kv5dZrAGAN/XSn0ZrIm16t7wP2PYbbfVXnep6ZdD124Xp+oe5jaPDOj/hyz+Wl7S068OaxQ1X1SZ68ZmYCYhSvCakKCoW9eSGvHsiaw5tqI1mrF7wIk4WH+scbqj/myLt4NWSFDzBS/r0Zh1MwMxqV4p9X7ASN0VckTXDX5ltqNImFPDER3fCbw58DJSkF9qzcSgFD9f7dp5V9d6ELP68TKgFKlg8WVumvM/Z4rycfX5cgQBOgZATyUatFQ5JcEZJ7vPGLzI86HajrDVADXa8yUDnK7Efpu/Yu30EWDoiYG1ktYkq44tRlNodIBp5xCHpdRI/hMkHQeNqTfluORdIhLqHzsOY5K4exOR6FxpcfYWXpyhUmbDYF7YymE/b978pTwPbiL1VjDMM23ZoDMlFzkEKEZtd4ZuYSaPkq2Ru7VgnDbLzDLk7doYkpy5tK5PjujEQeOagPILSv5yusTmGTyZrx5x6LzRVeNKuRfKLpo7Pa1Z1toWcXeZMqhFXvVmmS60sqlwrbsEcRb8nsh6NpYbVkCALQfstB2ot4wdnNi+3GOQUhUss80Kgcz/vLgrRj7EJ/CTvsPFhLGz8akA2737JGEV6q9o2oc9KuRMUzX5H1A6IST2+eRcs+nwCU37H5IWVa6fEaQISHoMUGjjNM79ucnG3Br3wKPzkjWVGGrzQz1TxR7IcUeorSmVMHE9jg1R7GV3hSs07WTnrgqEC9BnY/taf5A2dh9UBgnipT6WDF19X6jSlDbgv3k3XWwKY8qhhJeIA2pHjZ8x+3HLBGQptIpmP1SgrhwcwnhFQCZa0dKYV+pIvQK9OIYGqsAo7yCdnQv4dzKP+VcwJXNTx09p02dzqv6HjCG98vNSk5/wqcfQgu0efBBUXdJBOzAQFoDdOt20YzcOq3aOBUkN/TXTvAhnvzfqTV93BW9qvLwIuy+Tc/vr9/4HR2GhhULoaS0r35+WwJZKv5ee4Wob8+aqxAdAwor7kB25j7LzqGWJiHjXR4PScOJQyIAJwBhHPoenmLeCib2x+5zHao7WFO7d7ZcQUHV5Dq82XGG4zDNlzHreMOG3utqSZlwps8YZaPtAE3mHhnEWG2GWqok9uOc9Pee8gQngrflbK9TLGRSJnam2qWJyWwarQ8S5MJmAZsIyRGb8JAPjwNWEPnAO8RCituCTKAf+Bnz2p2sy0871psto=', 'RJuliM4GxUEbgYtjVFeHMjOOIVmAjBBrVRJSc23Of5upURQumuZrfe9YmFy59g3z8ZU3U8biks8vAEW65Nwh1w==', 'MH+NyCfbK5JzJMDleIYzJtR4QbUX/5wRQEElglz6bW/iyHWwD+fId5cP4Kr/LDaK9bS28dkgK2QXm7LfjNNUcg==', 'ok7CuwzS/xIaJh/B+pQpOVdaCsbZ6JSX+rSQuWLrnwNi/fWfERfPtmJ9yDgiK0ZMZ/My9gehBnNuO762u6mVWw=='

Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, FFjGXIVxy8sppJowx4.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, FFjGXIVxy8sppJowx4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, FFjGXIVxy8sppJowx4.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, vUiQCgA1SLcb5Vbk50.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, vUiQCgA1SLcb5Vbk50.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, FFjGXIVxy8sppJowx4.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, FFjGXIVxy8sppJowx4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, FFjGXIVxy8sppJowx4.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@16/14@1/1

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

File created: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\0Yn3xzTdlCbn
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

File created: C:\Users\user\AppData\Local\Temp\tmpED50.tmp

Jump to behavior

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Virustotal: Detection: 27%
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

File read: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe "C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe"
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpA9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpA9.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.raw.unpack, DlRvq5yJkomY4LIf3S.cs	.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs	.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.raw.unpack, DlRvq5yJkomY4LIf3S.cs	.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, FFjGXIVxy8sppJowx4.cs	.Net Code: t834aO6WE0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, FFjGXIVxy8sppJowx4.cs	.Net Code: t834aO6WE0 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E82227 push es; retf		9_2_06E82240
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Code function: 9_2_06E80019 push es; retf		9_2_06E8001C

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Static PE information: section name: .text entropy: 7.593765375690727
Source: DpmrYeeDGcj.exe.0.dr	Static PE information: section name: .text entropy: 7.593765375690727

Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, H4HrRDLet6nxZnRoLJ.cs	High entropy of concatenated method names: 'qXVMYGvSiK', 'kTdMxJctLO', 'nGsMaoXK4k', 'f5QMrSqZJm', 'KfmMcf9xSy', 'rwMMdhviU4', 'uwQM1X2KnI', 'Ca6MAseXvF', 'i8NMX5TZ2h', 'iSuMQwpKGe'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, wZWgtGQqYGZ4DKcDco.cs	High entropy of concatenated method names: 'hQlvc5f1xA', 'mLBv1y7W58', 'UDfefB0sJf', 'IMsePiW8Bj', 'mr6eNwWZA5', 'NE0eSZhShe', 'ekKeZj8LwA', 'yyNeINtc3H', 'ovneLonTLM', 'ibrebYJQSv'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, vUiQCgA1SLcb5Vbk50.cs	High entropy of concatenated method names: 's4Tps5r1xR', 'PTqpTVw8Sp', 'vWnpWCreZr', 'MiMpi1Ftiu', 'CM0plUUVQp', 'RvtpwIUSgM', 'GeSpJeDrqF', 'eMOptjO3qH', 'gchpgltUGY', 'wjtpG0FgWZ'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, SVjfttkkxHb5e1GwT1t.cs	High entropy of concatenated method names: 'cvmRGmh1RS', 'b7rRzx3EAY', 'eYrBo6bCQg', 'rODBkukTiE', 'aarB9DFx0d', 'Fj1BDyiZQH', 'WwZB4XlmeY', 'nDjB0Ll0uD', 'Y7WBCy51Gf', 'mHxBpgkPM2'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, FFjGXIVxy8sppJowx4.cs	High entropy of concatenated method names: 'sx2D005nax', 'vtsDCI6Y9g', 'yhtDpO2S2X', 'U5JDeKH3W9', 'yj2DvIEhbX', 'xRTDH5XaHH', 'LH1DMPQRfu', 'yMEDVjG8rl', 'jGoDOj0cad', 'ANfD3jj1Cm'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, uoqQbHJEBvip9g8ZmN.cs	High entropy of concatenated method names: 'w7amhfKBs0', 'fRYmjIm1jd', 'XKFmm4afgA', 'qGamB4o0Wn', 'nm5mEX9EdG', 'tYqm7QQj54', 'Dispose', 'B0YqCTTgir', 'YvPqpFQwks', 'hYpqeKDkXK'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, z81cOhsVYBPHe7t46R.cs	High entropy of concatenated method names: 'VUXhbJeEUG', 'MeLh8At4bJ', 'stQhs0Utku', 'YwJhTtKl6J', 'DoWh6ZIU0c', 'hvihfRY1Oi', 'Vt9hPgL8bN', 'aLHhNmUpVE', 'kq2hSUWj0X', 'TyfhZuFGPT'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, bg2RESk91Ba3EYEODsn.cs	High entropy of concatenated method names: 'ToString', 'QoEBAiYKdj', 'dG2BX2BC88', 'tclBQ9UWaj', 'hwUBy1NTV1', 'ugMB6rWuUm', 'YfHBf1i64K', 'YfcBPjPfY1', 'QiOxqNvRwp7CasTwIc2', 'm8LygqvUVFsJZeBZA6u'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, FZieSGzgU6YC4IKkeH.cs	High entropy of concatenated method names: 'X8yRdRBwNa', 'jq8RADAtT6', 'cZ5RX864ff', 'z4fRyRy2aC', 't0fR6eHFoL', 'LrVRPOyxNR', 'QNJRNpeWHm', 'cveR79dDoM', 'KqORYuEU74', 'J4BRxSN6Il'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, vDhEBYk4KuwxcSkX09o.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jdx5mP5aOY', 'PEH5RBlrDn', 'bkv5B2qD2E', 'G9w551ZHll', 'EIF5EKyX1i', 'w9F52sD6LX', 'KEu57fmVoq'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, zjG29wGJDqksF103Bn.cs	High entropy of concatenated method names: 'mAOReaAvX6', 'e2tRvHaS2A', 'bjVRHDT0b5', 'GcmRMfk2VV', 'Yb7RmwsFLY', 'hB9RVpbbDf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, VvsYN6pGjwMNFb4fuO.cs	High entropy of concatenated method names: 'Dispose', 'hipkg9g8Zm', 'haH96TtAJN', 'mSgs63NXwo', 'JpRkGXsFj6', 'IEJkztNOP4', 'ProcessDialogKey', 'h9G9oVxrml', 'iFw9kme385', 'KUJ99ajG29'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, YVxrmlgHFwme385SUJ.cs	High entropy of concatenated method names: 'GP8myEsEGK', 'JHhm6dWaAc', 'gUFmfFvL8D', 'SoVmPngsY2', 'k1KmNDqmec', 'NjbmS06Tn3', 'Xd7mZymVni', 'xK6mI656vO', 'ObEmLvjipx', 'WS7mbR73oH'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, kurEIMe0vIsvopgmmI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'i3h9gyqT5B', 'Shi9GExmX8', 'uWw9zMWCEY', 'fHBDoQ4epU', 'OPRDktGGCP', 'lLCD9wej7c', 'iMRDDcVWkK', 'tmCvjnUkm1yg4YL2vBQ'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, Ki48kJZT2JJygMei76.cs	High entropy of concatenated method names: 'EM9MCJxZDZ', 'rUwMeCDMui', 'kVQMHuAJAW', 'Q3RHGgIbOh', 'Vg2HzjMDMZ', 'ieMMofWNf6', 'nchMkaoxa4', 'N87M9Xmbbr', 'aSpMDKNJSF', 'UuZM4EZ1HI'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, IvD69dumijculCvkCC.cs	High entropy of concatenated method names: 'BLuFAdv4Hu', 'HJnFXpvgy2', 'Mk0Fy373jy', 'bUJF6GFI5S', 'CohFP1s38F', 'cyfFNa3JQ9', 'h11FZboE7i', 'fV6FIVVs5t', 'CMbFbpNlOV', 'Y95FKJi4rc'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, SQfIqs4P0jxXaVY05B.cs	High entropy of concatenated method names: 'Ic2kMUiQCg', 'DSLkVcb5Vb', 'jQgk3NAKfe', 'mO3kUA2ZWg', 'OcDkhcoEPn', 'AvJknO47FV', 'ubYx4gZFAgGN5a5CG7', 'xjMQRI57g54nyupWoR', 'xNNkkhsOjh', 'M7rkDp0OfM'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, sXQEBuwKbnBmbSpv9M.cs	High entropy of concatenated method names: 'SOajt2xbQm', 'ITtjGgaUZS', 'EH2qouKBar', 'pCRqk1fb8q', 'M9PjKaN1M3', 'FhMj8XygjP', 'jEHju7wuZ1', 'QT9jsei7Dq', 'EDgjT2nYfw', 'bOpjWJ90dC'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, Kxl3EN9mBN6H1OvJtq.cs	High entropy of concatenated method names: 'fPyaLNQIa', 'RVBr0630I', 'd7Zd5SoDh', 'EMU14pdAw', 'eG3XM3AyL', 'J8hQR0Ax2', 'GLyI4fepwvDb9lrB2V', 'cok81lHvKLGR9b1jyW', 'staqRYJyb', 'is4RPaAOO'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, vPnrvJyO47FVXqHKyx.cs	High entropy of concatenated method names: 'VOaH0W0EdG', 'NPmHpaNnKh', 'gpRHvM53OY', 'IXAHM8JcHp', 'ra0HVPIVbP', 'AZ7vlwdvWq', 'm48vwb3dMH', 'LScvJjdVy0', 'FJpvtQyrtU', 'It3vg4Otvs'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, q166LMXQgNAKfe3O3A.cs	High entropy of concatenated method names: 'woker8GwWe', 'l6PedbqA07', 'LsteABSXkE', 'xCyeXjmOVb', 'qhqehVfhI3', 'X3benkDtqx', 'A53ejBQSTo', 'td2eqx3PpB', 'sChemNXE51', 'h8deReRbqt'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, OEgM43kopDkYWIjt8uE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BMVRKbu9bx', 'jJQR8q0JTI', 'YrQRuNr000', 'y3HRsDwDmB', 'tf3RThDg0a', 'EGqRWONl5G', 'tBBRipIa7o'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, XOlOvlS1MoVQ1NQ3tm.cs	High entropy of concatenated method names: 'e0pHWrmi81', 'KVsHiMu937', 'VeuHlvmJL8', 'ToString', 'SAUHwKR54n', 'KYrHJNPXbH', 'hpFMgQBEkGvWR9AHgxb', 'dQAP8SBW10a8GljXEQs', 'g4k6vXB4B22V7vKSUuU'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.449b298.2.raw.unpack, lKmqV9PtYSd19SYVB2.cs	High entropy of concatenated method names: 'i5NH7KMpJx', 'x3NHYPjhKd', 'C35HaoWmkn', 'vqrHr1FIaX', 'zseHdRo0V9', 'SAmH1hGZBU', 'niOHXHCAts', 'y11HQtBfSZ', 'EZHMifByNDUN23dLG96', 'yh3QmNBxX8fdc8sMvaD'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, H4HrRDLet6nxZnRoLJ.cs	High entropy of concatenated method names: 'qXVMYGvSiK', 'kTdMxJctLO', 'nGsMaoXK4k', 'f5QMrSqZJm', 'KfmMcf9xSy', 'rwMMdhviU4', 'uwQM1X2KnI', 'Ca6MAseXvF', 'i8NMX5TZ2h', 'iSuMQwpKGe'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, wZWgtGQqYGZ4DKcDco.cs	High entropy of concatenated method names: 'hQlvc5f1xA', 'mLBv1y7W58', 'UDfefB0sJf', 'IMsePiW8Bj', 'mr6eNwWZA5', 'NE0eSZhShe', 'ekKeZj8LwA', 'yyNeINtc3H', 'ovneLonTLM', 'ibrebYJQSv'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, vUiQCgA1SLcb5Vbk50.cs	High entropy of concatenated method names: 's4Tps5r1xR', 'PTqpTVw8Sp', 'vWnpWCreZr', 'MiMpi1Ftiu', 'CM0plUUVQp', 'RvtpwIUSgM', 'GeSpJeDrqF', 'eMOptjO3qH', 'gchpgltUGY', 'wjtpG0FgWZ'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, SVjfttkkxHb5e1GwT1t.cs	High entropy of concatenated method names: 'cvmRGmh1RS', 'b7rRzx3EAY', 'eYrBo6bCQg', 'rODBkukTiE', 'aarB9DFx0d', 'Fj1BDyiZQH', 'WwZB4XlmeY', 'nDjB0Ll0uD', 'Y7WBCy51Gf', 'mHxBpgkPM2'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, FFjGXIVxy8sppJowx4.cs	High entropy of concatenated method names: 'sx2D005nax', 'vtsDCI6Y9g', 'yhtDpO2S2X', 'U5JDeKH3W9', 'yj2DvIEhbX', 'xRTDH5XaHH', 'LH1DMPQRfu', 'yMEDVjG8rl', 'jGoDOj0cad', 'ANfD3jj1Cm'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, uoqQbHJEBvip9g8ZmN.cs	High entropy of concatenated method names: 'w7amhfKBs0', 'fRYmjIm1jd', 'XKFmm4afgA', 'qGamB4o0Wn', 'nm5mEX9EdG', 'tYqm7QQj54', 'Dispose', 'B0YqCTTgir', 'YvPqpFQwks', 'hYpqeKDkXK'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, z81cOhsVYBPHe7t46R.cs	High entropy of concatenated method names: 'VUXhbJeEUG', 'MeLh8At4bJ', 'stQhs0Utku', 'YwJhTtKl6J', 'DoWh6ZIU0c', 'hvihfRY1Oi', 'Vt9hPgL8bN', 'aLHhNmUpVE', 'kq2hSUWj0X', 'TyfhZuFGPT'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, bg2RESk91Ba3EYEODsn.cs	High entropy of concatenated method names: 'ToString', 'QoEBAiYKdj', 'dG2BX2BC88', 'tclBQ9UWaj', 'hwUBy1NTV1', 'ugMB6rWuUm', 'YfHBf1i64K', 'YfcBPjPfY1', 'QiOxqNvRwp7CasTwIc2', 'm8LygqvUVFsJZeBZA6u'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, FZieSGzgU6YC4IKkeH.cs	High entropy of concatenated method names: 'X8yRdRBwNa', 'jq8RADAtT6', 'cZ5RX864ff', 'z4fRyRy2aC', 't0fR6eHFoL', 'LrVRPOyxNR', 'QNJRNpeWHm', 'cveR79dDoM', 'KqORYuEU74', 'J4BRxSN6Il'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, vDhEBYk4KuwxcSkX09o.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jdx5mP5aOY', 'PEH5RBlrDn', 'bkv5B2qD2E', 'G9w551ZHll', 'EIF5EKyX1i', 'w9F52sD6LX', 'KEu57fmVoq'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, zjG29wGJDqksF103Bn.cs	High entropy of concatenated method names: 'mAOReaAvX6', 'e2tRvHaS2A', 'bjVRHDT0b5', 'GcmRMfk2VV', 'Yb7RmwsFLY', 'hB9RVpbbDf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, VvsYN6pGjwMNFb4fuO.cs	High entropy of concatenated method names: 'Dispose', 'hipkg9g8Zm', 'haH96TtAJN', 'mSgs63NXwo', 'JpRkGXsFj6', 'IEJkztNOP4', 'ProcessDialogKey', 'h9G9oVxrml', 'iFw9kme385', 'KUJ99ajG29'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, YVxrmlgHFwme385SUJ.cs	High entropy of concatenated method names: 'GP8myEsEGK', 'JHhm6dWaAc', 'gUFmfFvL8D', 'SoVmPngsY2', 'k1KmNDqmec', 'NjbmS06Tn3', 'Xd7mZymVni', 'xK6mI656vO', 'ObEmLvjipx', 'WS7mbR73oH'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, kurEIMe0vIsvopgmmI.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'i3h9gyqT5B', 'Shi9GExmX8', 'uWw9zMWCEY', 'fHBDoQ4epU', 'OPRDktGGCP', 'lLCD9wej7c', 'iMRDDcVWkK', 'tmCvjnUkm1yg4YL2vBQ'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, Ki48kJZT2JJygMei76.cs	High entropy of concatenated method names: 'EM9MCJxZDZ', 'rUwMeCDMui', 'kVQMHuAJAW', 'Q3RHGgIbOh', 'Vg2HzjMDMZ', 'ieMMofWNf6', 'nchMkaoxa4', 'N87M9Xmbbr', 'aSpMDKNJSF', 'UuZM4EZ1HI'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, IvD69dumijculCvkCC.cs	High entropy of concatenated method names: 'BLuFAdv4Hu', 'HJnFXpvgy2', 'Mk0Fy373jy', 'bUJF6GFI5S', 'CohFP1s38F', 'cyfFNa3JQ9', 'h11FZboE7i', 'fV6FIVVs5t', 'CMbFbpNlOV', 'Y95FKJi4rc'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, SQfIqs4P0jxXaVY05B.cs	High entropy of concatenated method names: 'Ic2kMUiQCg', 'DSLkVcb5Vb', 'jQgk3NAKfe', 'mO3kUA2ZWg', 'OcDkhcoEPn', 'AvJknO47FV', 'ubYx4gZFAgGN5a5CG7', 'xjMQRI57g54nyupWoR', 'xNNkkhsOjh', 'M7rkDp0OfM'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, sXQEBuwKbnBmbSpv9M.cs	High entropy of concatenated method names: 'SOajt2xbQm', 'ITtjGgaUZS', 'EH2qouKBar', 'pCRqk1fb8q', 'M9PjKaN1M3', 'FhMj8XygjP', 'jEHju7wuZ1', 'QT9jsei7Dq', 'EDgjT2nYfw', 'bOpjWJ90dC'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, Kxl3EN9mBN6H1OvJtq.cs	High entropy of concatenated method names: 'fPyaLNQIa', 'RVBr0630I', 'd7Zd5SoDh', 'EMU14pdAw', 'eG3XM3AyL', 'J8hQR0Ax2', 'GLyI4fepwvDb9lrB2V', 'cok81lHvKLGR9b1jyW', 'staqRYJyb', 'is4RPaAOO'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, vPnrvJyO47FVXqHKyx.cs	High entropy of concatenated method names: 'VOaH0W0EdG', 'NPmHpaNnKh', 'gpRHvM53OY', 'IXAHM8JcHp', 'ra0HVPIVbP', 'AZ7vlwdvWq', 'm48vwb3dMH', 'LScvJjdVy0', 'FJpvtQyrtU', 'It3vg4Otvs'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, q166LMXQgNAKfe3O3A.cs	High entropy of concatenated method names: 'woker8GwWe', 'l6PedbqA07', 'LsteABSXkE', 'xCyeXjmOVb', 'qhqehVfhI3', 'X3benkDtqx', 'A53ejBQSTo', 'td2eqx3PpB', 'sChemNXE51', 'h8deReRbqt'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, OEgM43kopDkYWIjt8uE.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BMVRKbu9bx', 'jJQR8q0JTI', 'YrQRuNr000', 'y3HRsDwDmB', 'tf3RThDg0a', 'EGqRWONl5G', 'tBBRipIa7o'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, XOlOvlS1MoVQ1NQ3tm.cs	High entropy of concatenated method names: 'e0pHWrmi81', 'KVsHiMu937', 'VeuHlvmJL8', 'ToString', 'SAUHwKR54n', 'KYrHJNPXbH', 'hpFMgQBEkGvWR9AHgxb', 'dQAP8SBW10a8GljXEQs', 'g4k6vXB4B22V7vKSUuU'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.7970000.7.raw.unpack, lKmqV9PtYSd19SYVB2.cs	High entropy of concatenated method names: 'i5NH7KMpJx', 'x3NHYPjhKd', 'C35HaoWmkn', 'vqrHr1FIaX', 'zseHdRo0V9', 'SAmH1hGZBU', 'niOHXHCAts', 'y11HQtBfSZ', 'EZHMifByNDUN23dLG96', 'yh3QmNBxX8fdc8sMvaD'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	File created: \pedido de compras oc 1203 cri234.xlsx.exe
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	File created: \pedido de compras oc 1203 cri234.xlsx.exe
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	File created: \pedido de compras oc 1203 cri234.xlsx.exe
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	File created: \pedido de compras oc 1203 cri234.xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	File created: \pedido de compras oc 1203 cri234.xlsx.exe	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	File created: \pedido de compras oc 1203 cri234.xlsx.exe	Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

File created: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpmrYeeDGcj.exe PID: 4136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5624, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: xlsx.exe

Static PE information: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpmrYeeDGcj.exe PID: 4136, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpmrYeeDGcj.exe PID: 4136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5624, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, DpmrYeeDGcj.exe, 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory allocated: 32A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory allocated: 52A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory allocated: 9480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory allocated: A480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory allocated: A690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory allocated: B690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 6BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 8BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory allocated: 82F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory allocated: 92F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory allocated: 94E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory allocated: A4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 6D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Memory allocated: 5170000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5934	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3773	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 4550	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Window / User API: threadDelayed 5296	Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe TID: 5544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6352	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4128	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 2788	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 2788	Thread sleep time: -38738162554790034s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 1196	Thread sleep count: 4550 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 1196	Thread sleep count: 5296 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe TID: 1628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: vbc.exe, 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000007.00000002.2833489771.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2834352021.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2834278469.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DpmrYeeDGcj.exe, 00000009.00000002.1653093380.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, DpmrYeeDGcj.exe, 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: YrZ1gD5QdIVjccca7woGTzwaBccBkzLBXO4f1qHjirwDnt1oxU6cGH/7OytHoZUqQa+mmImoVjmceOLyUcYbIC+O2cboJ5jGWjP8DoXgt4W+x+x9cHJjhGv7nIGZhjGBmsAzEQ0gW80wmCJXruA8AsaJij5OPNoIqxdwJsrRAgwX3w6EarB/agyeuvDQYqL1P2n4mO9/ZtAVRWsVxlr8rCl66k60fCQd+TkU9T75/DQtO/+baxDvGSrLTu78HGfShz879Y9Q4U4epMsW8BVQAoGgxAwweAa/F39/aamusBjOVzzYr/AMmVaTYVBvTUBbHUMLDEtapxc+zq9T3S/m41iUZXRRcTYo2EZYBHhbd5bdyRvVVKslYRij4jZGsLzQ7dPHvO26U3PClsYPDGw+41G+6Q8bo42kH+Ix3IV5gS/IefrRKfB/zY9ISURNhkiN5NOS8NWFJUbkMd8iPgZQ2xqgXLaYC2tdSPbk4+f107eNNyyRyYw1adlKZSL5bSD3J4bVXgYhx3gay3kOFhJb4OVzvaDPtIATby4YivpTUr3LllVkHH8kXNrm4K1GoZzW1VgZB6fd5dNC8NKUYd6/UwRiKyxUr9sMfX2rraw+1cF5nP4pGGVwAX1OQDSACxN2lT5NY+DB9upHtsKloGsVaR9zglMZJpuJmIZk3lkAIXxwajnATRIyw5vQ81GZAgnGzkBJY/iZCCEef+4yjkZSFiB/bssmB13TXTYrqWSM9TFHso+2HggjYP+i6UypIQJRr/CSao4uQvZgpG3/j7Qpr1MSd5NLmDyq3i/CYqbxlDy5/0+dL3CVvi0cNhXAiyQxgrEXgGa0BXF9WjP+pQejNnbuLZKoHb/i3yWEo7YRssxokXV5GPXzLWnXDV+9jXvtPM5nCCSUJP2C4HVuv/6Kb8YKt+w/1aEjCmXrO3r/kce+Ap+RQ5ps8G6nyT3IQop85zMqmcEQbLOu3Ew/wCerqBA5QKh4HebbPqchMp6uv2Mlpp3y3te+w5AVU3cLqRtIedzPMYoOeFysjmjszzblZ8ZCLU2v0lpWDkeQn7mWsm/fFJ6ESH2cGP8BJSDEUo1xY15SbvEqSWBX2GhThvCgT6hw5X78//vFwv2QbJsju+9COcJpmypqevaEFRB3Kv5dZrAGAN/XSn0ZrIm16t7wP2PYbbfVXnep6ZdD124Xp+oe5jaPDOj/hyz+Wl7S068OaxQ1X1SZ68ZmYCYhSvCakKCoW9eSGvHsiaw5tqI1mrF7wIk4WH+scbqj/myLt4NWSFDzBS/r0Zh1MwMxqV4p9X7ASN0VckTXDX5ltqNImFPDER3fCbw58DJSkF9qzcSgFD9f7dp5V9d6ELP68TKgFKlg8WVumvM/Z4rycfX5cgQBOgZATyUatFQ5JcEZJ7vPGLzI86HajrDVADXa8yUDnK7Efpu/Yu30EWDoiYG1ktYkq44tRlNodIBp5xCHpdRI/hMkHQeNqTfluORdIhLqHzsOY5K4exOR6FxpcfYWXpyhUmbDYF7YymE/b978pTwPbiL1VjDMM23ZoDMlFzkEKEZtd4ZuYSaPkq2Ru7VgnDbLzDLk7doYkpy5tK5PjujEQeOagPILSv5yusTmGTyZrx5x6LzRVeNKuRfKLpo7Pa1Z1toWcXeZMqhFXvVmmS60sqlwrbsEcRb8nsh6NpYbVkCALQfstB2ot4wdnNi+3GOQUhUss80Kgcz/vLgrRj7EJ/CTvsPFhLGz8akA2737JGEV6q9o2oc9KuRMUzX5H1A6IST2+eRcs+nwCU37H5IWVa6fEaQISHoMUGjjNM79ucnG3Br3wKPzkjWVGGrzQz1TxR7IcUeorSmVMHE9jg1R7GV3hSs07WTnrgqEC9BnY/taf5A2dh9UBgnipT6WDF19X6jSlDbgv3k3XWwKY8qhhJeIA2pHjZ8x+3HLBGQptIpmP1SgrhwcwnhFQCZa0dKYV+pIvQK9OIYGqsAo7yCdnQv4dzKP+VcwJXNTx09p02dzqv6HjCG98vNSk5/wqcfQgu0efBBUXdJBOzAQFoDdOt20YzcOq3aOBUkN/TXTvAhnvzfqTV93BW9qvLwIuy+Tc/vr9/4HR2GhhULoaS0r35+WwJZKv5ee4Wob8+aqxAdAwor7kB25j7LzqGWJiHjXR4PScOJQyIAJwBhHPoenmLeCib2x+5zHao7WFO7d7ZcQUHV5Dq82XGG4zDNlzHreMOG3utqSZlwps8YZaPtAE3mHhnEWG2GWqok9uOc9Pee8gQngrflbK9TLGRSJnam2qWJyWwarQ8S5MJmAZsIyRGb8JAPjwNWEPnAO8RCituCTKAf+Bnz2p2sy0871psto=
Source: vbc.exe, 0000000C.00000002.1696389134.0000000006D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,rZ1gD5QdIVjccca7woGTzwaBccBkzLBXO4f1qHjirwDnt1oxU6cGH/7OytHoZUqQa+mmImoVjmceOLyUcYbIC+O2cboJ5jGWjP8DoXgt4W+x+x9cHJjhGv7nIGZhjGBmsAzEQ0gW80wmCJXruA8AsaJij5OPNoIqxdwJsrRAgwX3w6EarB/agyeuvDQYqL1P2n4mO9/ZtAVRWsVxlr8rCl66k60fCQd+TkU9T75/DQtO/+baxDvGSrLTu78HGfShz879Y9Q4U4epMsW8BVQAoGgxAwweAa/F39/aamusBjOVzzYr/AMmVaTYVBvTUBbHUMLDEtapxc+zq9T3S/m41iUZXRRcTYo2EZYBHhbd5bdyRvVVKslYRij4jZGsLzQ7dPHvO26U3PClsYPDGw+41G+6Q8bo42kH+Ix3IV5gS/IefrRKfB/zY9ISURNhkiN5NOS8NWFJUbkMd8iPgZQ2xqgXLaYC2tdSPbk4+f107eNNyyRyYw1adlKZSL5bSD3J4bVXgYhx3gay3kOFhJb4OVzvaDPtIATby4YivpTUr3LllVkHH8kXNrm4K1GoZzW1VgZB6fd5dNC8NKUYd6/UwRiKyxUr9sMfX2rraw+1cF5nP4pGGVwAX1OQDSACxN2lT5NY+DB9upHtsKloGsVaR9zglMZJpuJmIZk3lkAIXxwajnATRIyw5vQ81GZAgnGzkBJY/iZCCEef+4yjkZSFiB/bssmB13TXTYrqWSM9TFHso+2HggjYP+i6UypIQJRr/CSao4uQvZgpG3/j7Qpr1MSd5NLmDyq3i/CYqbxlDy5/0+dL3CVvi0cNhXAiyQxgrEXgGa0BXF9WjP+pQejNnbuLZKoHb/i3yWEo7YRssxokXV5GPXzLWnXDV+9jXvtPM5nCCSUJP2C4HVuv/6Kb8YKt+w/1aEjCmXrO3r/kce+Ap+RQ5ps8G6nyT3IQop85zMqmcEQbLOu3Ew/wCerqBA5QKh4HebbPqchMp6uv2Mlpp3y3te+w5AVU3cLqRtIedzPMYoOeFysjmjszzblZ8ZCLU2v0lpWDkeQn7mWsm/fFJ6ESH2cGP8BJSDEUo1xY15SbvEqSWBX2GhThvCgT6hw5X78//vFwv2QbJsju+9COcJpmypqevaEFRB3Kv5dZrAGAN/XSn0ZrIm16t7wP2PYbbfVXnep6ZdD124Xp+oe5jaPDOj/hyz+Wl7S068OaxQ1X1SZ68ZmYCYhSvCakKCoW9eSGvHsiaw5tqI1mrF7wIk4WH+scbqj/myLt4NWSFDzBS/r0Zh1MwMxqV4p9X7ASN0VckTXDX5ltqNImFPDER3fCbw58DJSkF9qzcSgFD9f7dp5V9d6ELP68TKgFKlg8WVumvM/Z4rycfX5cgQBOgZATyUatFQ5JcEZJ7vPGLzI86HajrDVADXa8yUDnK7Efpu/Yu30EWDoiYG1ktYkq44tRlNodIBp5xCHpdRI/hMkHQeNqTfluORdIhLqHzsOY5K4exOR6FxpcfYWXpyhUmbDYF7YymE/b978pTwPbiL1VjDMM23ZoDMlFzkEKEZtd4ZuYSaPkq2Ru7VgnDbLzDLk7doYkpy5tK5PjujEQeOagPILSv5yusTmGTyZrx5x6LzRVeNKuRfKLpo7Pa1Z1toWcXeZMqhFXvVmmS60sqlwrbsEcRb8nsh6NpYbVkCALQfstB2ot4wdnNi+3GOQUhUss80Kgcz/vLgrRj7EJ/CTvsPFhLGz8akA2737JGEV6q9o2oc9KuRMUzX5H1A6IST2+eRcs+nwCU37H5IWVa6fEaQISHoMUGjjNM79ucnG3Br3wKPzkjWVGGrzQz1TxR7IcUeorSmVMHE9jg1R7GV3hSs07WTnrgqEC9BnY/taf5A2dh9UBgnipT6WDF19X6jSlDbgv3k3XWwKY8qhhJeIA2pHjZ8x+3HLBGQptIpmP1SgrhwcwnhFQCZa0dKYV+pIvQK9OIYGqsAo7yCdnQv4dzKP+VcwJXNTx09p02dzqv6HjCG98vNSk5/wqcfQgu0efBBUXdJBOzAQFoDdOt20YzcOq3aOBUkN/TXTvAhnvzfqTV93BW9qvLwIuy+Tc/vr9/4HR2GhhULoaS0r35+WwJZKv5ee4Wob8+aqxAdAwor7kB25j7LzqGWJiHjXR4PScOJQyIAJwBhHPoenmLeCib2x+5zHao7WFO7d7ZcQUHV5Dq82XGG4zDNlzHreMOG3utqSZlwps8YZaPtAE3mHhnEWG2GWqok9uOc9Pee8gQngrflbK9TLGRSJnam2qWJyWwarQ8S5MJmAZsIyRGb8JAPjwNWEPnAO8RCituCTKAf+Bnz2p2sy0871psto=gr
Source: vbc.exe, 00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,rZ1gD5QdIVjccca7woGTzwaBccBkzLBXO4f1qHjirwDnt1oxU6cGH/7OytHoZUqQa+mmImoVjmceOLyUcYbIC+O2cboJ5jGWjP8DoXgt4W+x+x9cHJjhGv7nIGZhjGBmsAzEQ0gW80wmCJXruA8AsaJij5OPNoIqxdwJsrRAgwX3w6EarB/agyeuvDQYqL1P2n4mO9/ZtAVRWsVxlr8rCl66k60fCQd+TkU9T75/DQtO/+baxDvGSrLTu78HGfShz879Y9Q4U4epMsW8BVQAoGgxAwweAa/F39/aamusBjOVzzYr/AMmVaTYVBvTUBbHUMLDEtapxc+zq9T3S/m41iUZXRRcTYo2EZYBHhbd5bdyRvVVKslYRij4jZGsLzQ7dPHvO26U3PClsYPDGw+41G+6Q8bo42kH+Ix3IV5gS/IefrRKfB/zY9ISURNhkiN5NOS8NWFJUbkMd8iPgZQ2xqgXLaYC2tdSPbk4+f107eNNyyRyYw1adlKZSL5bSD3J4bVXgYhx3gay3kOFhJb4OVzvaDPtIATby4YivpTUr3LllVkHH8kXNrm4K1GoZzW1VgZB6fd5dNC8NKUYd6/UwRiKyxUr9sMfX2rraw+1cF5nP4pGGVwAX1OQDSACxN2lT5NY+DB9upHtsKloGsVaR9zglMZJpuJmIZk3lkAIXxwajnATRIyw5vQ81GZAgnGzkBJY/iZCCEef+4yjkZSFiB/bssmB13TXTYrqWSM9TFHso+2HggjYP+i6UypIQJRr/CSao4uQvZgpG3/j7Qpr1MSd5NLmDyq3i/CYqbxlDy5/0+dL3CVvi0cNhXAiyQxgrEXgGa0BXF9WjP+pQejNnbuLZKoHb/i3yWEo7YRssxokXV5GPXzLWnXDV+9jXvtPM5nCCSUJP2C4HVuv/6Kb8YKt+w/1aEjCmXrO3r/kce+Ap+RQ5ps8G6nyT3IQop85zMqmcEQbLOu3Ew/wCerqBA5QKh4HebbPqchMp6uv2Mlpp3y3te+w5AVU3cLqRtIedzPMYoOeFysjmjszzblZ8ZCLU2v0lpWDkeQn7mWsm/fFJ6ESH2cGP8BJSDEUo1xY15SbvEqSWBX2GhThvCgT6hw5X78//vFwv2QbJsju+9COcJpmypqevaEFRB3Kv5dZrAGAN/XSn0ZrIm16t7wP2PYbbfVXnep6ZdD124Xp+oe5jaPDOj/hyz+Wl7S068OaxQ1X1SZ68ZmYCYhSvCakKCoW9eSGvHsiaw5tqI1mrF7wIk4WH+scbqj/myLt4NWSFDzBS/r0Zh1MwMxqV4p9X7ASN0VckTXDX5ltqNImFPDER3fCbw58DJSkF9qzcSgFD9f7dp5V9d6ELP68TKgFKlg8WVumvM/Z4rycfX5cgQBOgZATyUatFQ5JcEZJ7vPGLzI86HajrDVADXa8yUDnK7Efpu/Yu30EWDoiYG1ktYkq44tRlNodIBp5xCHpdRI/hMkHQeNqTfluORdIhLqHzsOY5K4exOR6FxpcfYWXpyhUmbDYF7YymE/b978pTwPbiL1VjDMM23ZoDMlFzkEKEZtd4ZuYSaPkq2Ru7VgnDbLzDLk7doYkpy5tK5PjujEQeOagPILSv5yusTmGTyZrx5x6LzRVeNKuRfKLpo7Pa1Z1toWcXeZMqhFXvVmmS60sqlwrbsEcRb8nsh6NpYbVkCALQfstB2ot4wdnNi+3GOQUhUss80Kgcz/vLgrRj7EJ/CTvsPFhLGz8akA2737JGEV6q9o2oc9KuRMUzX5H1A6IST2+eRcs+nwCU37H5IWVa6fEaQISHoMUGjjNM79ucnG3Br3wKPzkjWVGGrzQz1TxR7IcUeorSmVMHE9jg1R7GV3hSs07WTnrgqEC9BnY/taf5A2dh9UBgnipT6WDF19X6jSlDbgv3k3XWwKY8qhhJeIA2pHjZ8x+3HLBGQptIpmP1SgrhwcwnhFQCZa0dKYV+pIvQK9OIYGqsAo7yCdnQv4dzKP+VcwJXNTx09p02dzqv6HjCG98vNSk5/wqcfQgu0efBBUXdJBOzAQFoDdOt20YzcOq3aOBUkN/TXTvAhnvzfqTV93BW9qvLwIuy+Tc/vr9/4HR2GhhULoaS0r35+WwJZKv5ee4Wob8+aqxAdAwor7kB25j7LzqGWJiHjXR4PScOJQyIAJwBhHPoenmLeCib2x+5zHao7WFO7d7ZcQUHV5Dq82XGG4zDNlzHreMOG3utqSZlwps8YZaPtAE3mHhnEWG2GWqok9uOc9Pee8gQngrflbK9TLGRSJnam2qWJyWwarQ8S5MJmAZsIyRGb8JAPjwNWEPnAO8RCituCTKAf+Bnz2p2sy0871psto=

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe"
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 40E000	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 410000	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 982008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 40E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 410000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 841008	Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpA9.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"	Jump to behavior

Source: vbc.exe, 00000007.00000002.2835178825.0000000006C3D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2835178825.0000000006C39000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2835178825.0000000006C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: vbc.exe, 00000007.00000002.2835178825.0000000006C3D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2835178825.0000000006C39000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2835178825.0000000006C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerTe
Source: vbc.exe, 00000007.00000002.2835178825.0000000006C3D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2835178825.0000000006C39000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2835178825.0000000006C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Queries volume information: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Queries volume information: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27d4400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27d4400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.DpmrYeeDGcj.exe.27df8e0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.33039c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.32b63ec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe PID: 5308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DpmrYeeDGcj.exe PID: 4136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5624, type: MEMORYSTR

Source: vbc.exe, 00000007.00000002.2834278469.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1612004323.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1613736255.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612004323.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.5b00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42c7dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.42e7de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1612004323.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1613736255.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612004323.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	312 Process Injection	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	1 DLL Side-Loading	2 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	221 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	28%	Virustotal		Browse
PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	45%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	100%	Avira	HEUR/AGEN.1309493
PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	100%	Avira	HEUR/AGEN.1309493
C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe	45%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore

Source	Detection	Scanner	Label	Link
ergsea.ydns.eu	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
ergsea.ydns.eu	67.203.7.171	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
ergsea.ydns.eu	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://tempuri.org/WarehouseDataDataSet.xsdYhttp://tempuri.org/WarehouseDataDataSet1.xsdEkursachForA	PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, DpmrYeeDGcj.exe.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe, 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp, DpmrYeeDGcj.exe, 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
67.203.7.171	ergsea.ydns.eu	United States		21769	AS-COLOAMUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585874
Start date and time:	2025-01-08 12:29:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@16/14@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 212 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 23.56.254.164, 20.109.210.53, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target vbc.exe, PID 5484 because it is empty
Execution Graph export aborted for target vbc.exe, PID 5624 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:30:32	API Interceptor	1x Sleep call for process: PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe modified
06:30:34	API Interceptor	14x Sleep call for process: powershell.exe modified
06:30:37	API Interceptor	1x Sleep call for process: DpmrYeeDGcj.exe modified
06:30:41	API Interceptor	1x Sleep call for process: vbc.exe modified
12:30:35	Task Scheduler	Run new task: DpmrYeeDGcj path: C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	199.232.214.172
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	e-SPT Masa PPh.exe	Get hash	malicious	BlackMoon	Browse	199.232.210.172
	e-SPT Masa PPh.exe	Get hash	malicious	BlackMoon	Browse	199.232.210.172
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	199.232.214.172
	I6la3suRdt.exe	Get hash	malicious	AsyncRAT	Browse	199.232.214.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.210.172
	Sburkholder.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	U02LaPwnkd.exe	Get hash	malicious	ValleyRAT	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOAMUS	armv4l.elf	Get hash	malicious	Unknown	Browse	216.74.64.185
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	185.205.199.162
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	185.199.118.94
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	185.205.199.176
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	67.227.68.206
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	67.203.3.42
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	67.203.3.22
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	104.224.77.60
	botx.mips.elf	Get hash	malicious	Mirai	Browse	185.205.199.194
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	185.195.214.182

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.234088949531399
Encrypted:	false
SSDEEP:	6:kKMEF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:kDImsLNkPlE99SNxAhUe/3
MD5:	A8C7F4028F5EF81E27A66319C5C18746
SHA1:	6E7B70ECD1D715AD6C281C9D5FE50E150934B5FC
SHA-256:	3C6600CBEDCC4B7C9BF3F22C9C0089D083EA2B7128B7A08A1B64FC8A62B5469F
SHA-512:	6657BCD5CC0025978D6A8F11801B9F00026ED6952A6A05CC3D117F60BBDE72DA36E816EBA66A5F6B9D8B80623A7D29AA72DEEF8DC18EE6395EA8B2655C94A598
Malicious:	false
Preview:	p...... .........<]..a..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DpmrYeeDGcj.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.log

Download File

Process:	C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379633281639906
Encrypted:	false
SSDEEP:	48:BWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMuge//ZMKyus:BLHxvCZfIfSKRHmOugrKs
MD5:	F36522C0423F3D44A5D29F37C917E041
SHA1:	1982B7E5EFC57AF60E3FFEEAA921905E46BD3421
SHA-256:	6EB6B4C6E05E3EA447EB9990C5DC6149EA083BD728B7F1C8CAAB8F3F6C4623D6
SHA-512:	3C859BDD6F514D5AAE275B66808A45AD4764DBB6BE178C0D3CE92653AFA6187B9149991FC0089DF8EA1AF1161457BF16EBD4039146C545BCF037B304E520E4E5
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25kz3xwf.gef.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0cfo1k4.lob.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnyunbss.52i.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzrk4sr0.dfp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpA9.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1584
Entropy (8bit):	5.113318562486061
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTdv
MD5:	539CE52B25CC5C1AC4B2D61FA1CBFD14
SHA1:	832A8547D7AD1D5A92F9FB6F31CC91E1B85C3D55
SHA-256:	A8CF5710D36DEDF98CAF755C042572127C22A2F3B11028D2F12A132CCFC24A5D
SHA-512:	2266BB57A6F3AF43B145E56F31ECB0417BD448E64CB29EEA9C7086CD5B1222E3A0D7ADC9FE88997ABD3664391EC7E37351D2CEAE29003E1A180F14055EBA1DF3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpED50.tmp

Download File

Process:	C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1584
Entropy (8bit):	5.113318562486061
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtjxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTdv
MD5:	539CE52B25CC5C1AC4B2D61FA1CBFD14
SHA1:	832A8547D7AD1D5A92F9FB6F31CC91E1B85C3D55
SHA-256:	A8CF5710D36DEDF98CAF755C042572127C22A2F3B11028D2F12A132CCFC24A5D
SHA-512:	2266BB57A6F3AF43B145E56F31ECB0417BD448E64CB29EEA9C7086CD5B1222E3A0D7ADC9FE88997ABD3664391EC7E37351D2CEAE29003E1A180F14055EBA1DF3
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe

Download File

Process:	C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	629760
Entropy (8bit):	7.588388691153946
Encrypted:	false
SSDEEP:	12288:keq4E6mfJiLl9fWcbQkpClS+j80IlSgaFguAGszwTPXC2l93dvp1p7Cph8p:dEkD9pClC3ogaFgrRzwVdvp1pVp
MD5:	934331EDA0B472009322A97523B5BFDD
SHA1:	0AF4E8F64595D302BA3C5B277403230B73277EAA
SHA-256:	1466C1E6BD4B88AD92EAC2240158C6516B8601FC59FC4260711C20E269BA17CB
SHA-512:	57CE4F3FA2EAB5B3792C83E045EB7A0D820B0C6172017FD41DD12F172F64FE2046B92E8BC7A0ACF29D3F7D5B5AA35A3FE5FB60749A9BB07D6656BCCD78C41576
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.}g..............0..z... ........... ........@.. ....................................`.................................L...O.................................................................................... ............... ..H............text....x... ...z.................. ..`.rsrc................\|..............@..@.reloc..............................@..B........................H.......,q..........9...4..................................................}.....($......(......{.....o%.....{.....o&.......{....r...po'.....{....r...po'.....0............{....o(...r...p()...,..{....o(...r-..p()...+....,...(....s......o+.....+2.(,...o-....r7..p(....&.{.....o'.....{.....o'.......0..+.........,..{.......+....,...{....o/.......(0......0............s1...}.....s1...}.....s2...}.....s2...}.....s3...}.....(4.....{.....o5.....{.....8.>s6...o7.....{....re..po8..

C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.588388691153946
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
File size:	629'760 bytes
MD5:	934331eda0b472009322a97523b5bfdd
SHA1:	0af4e8f64595d302ba3c5b277403230b73277eaa
SHA256:	1466c1e6bd4b88ad92eac2240158c6516b8601fc59fc4260711c20e269ba17cb
SHA512:	57ce4f3fa2eab5b3792c83e045eb7a0d820b0c6172017fd41dd12f172f64fe2046b92e8bc7a0acf29d3f7d5b5aa35a3fe5fb60749a9bb07d6656bccd78c41576
SSDEEP:	12288:keq4E6mfJiLl9fWcbQkpClS+j80IlSgaFguAGszwTPXC2l93dvp1p7Cph8p:dEkD9pClC3ogaFgrRzwVdvp1pVp
TLSH:	E0D4F1043362EA06D0A707B46870E7F923745EC9A512E3039EEEBDFB7C2A7526D15352
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.}g..............0..z... ........... ........@.. ....................................`................................

File Icon


Icon Hash:	80acdadaaaa4c6ba

Static PE Info

General

Entrypoint:	0x49989e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677DE749 [Wed Jan 8 02:47:37 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9984c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0x1d84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x978a4	0x97a00	55f11ec5fdd94ab5581899c93a38e3c3	False	0.8629688788128607	data	7.593765375690727	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9a000	0x1d84	0x1e00	4e0b7aec5249e919ffc05f72e6672107	False	0.8567708333333334	data	7.394441823337237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	7a661555a4e1aa4a1305d7cff4aa1247	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x9a0c8	0x1967	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9407965554359526
RT_GROUP_ICON	0x9ba40	0x14	data	1.05
RT_VERSION	0x9ba64	0x31c	data	0.43844221105527637

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T12:30:40.757332+0100	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	67.203.7.171	7393	192.168.2.8	49712	TCP
2025-01-08T12:30:40.757332+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	67.203.7.171	7393	192.168.2.8	49712	TCP
2025-01-08T12:30:40.757332+0100	2035607	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	67.203.7.171	7393	192.168.2.8	49712	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:39.851833105 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:39.856723070 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:39.856826067 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:39.869680882 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:39.874526024 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:40.746494055 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:40.746521950 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:40.746531963 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:40.746702909 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:40.752540112 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:40.757332087 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:41.012984991 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:41.216681004 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:42.039072990 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:42.043858051 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:42.043937922 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:42.048800945 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:46.464775085 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:46.518958092 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:46.540175915 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:46.581367970 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:56.863842010 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:56.868719101 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:56.868839025 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:56.873615980 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:57.344575882 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:57.393877029 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:58.761720896 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:58.764121056 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:58.768924952 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:30:58.769001007 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:30:58.773765087 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:11.691711903 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:11.696508884 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:11.696566105 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:11.701411009 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:12.315701008 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:12.362590075 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:16.582035065 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:16.584373951 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:16.589171886 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:16.589231968 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:16.594058037 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:26.519378901 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:26.524182081 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:26.524255991 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:26.529051065 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:26.999977112 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:27.050096035 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:27.214514971 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:27.216255903 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:27.221131086 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:27.221201897 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:27.225986004 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:41.347556114 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:41.352437973 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:41.352533102 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:41.357315063 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:41.925071955 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:41.971951962 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:42.136298895 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:42.138082981 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:42.142851114 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:42.142927885 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:42.147680998 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:46.345108032 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:46.395776033 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:47.550405025 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:47.596927881 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:56.175930977 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:56.180785894 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:56.180851936 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:56.185631037 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:56.656667948 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:56.706331015 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:57.237581968 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:57.239257097 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:57.244069099 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:31:57.244131088 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:31:57.248949051 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:11.003783941 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:11.008603096 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:11.008678913 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:11.013535023 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:12.441273928 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:12.445033073 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:12.449824095 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:12.449888945 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:12.454613924 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:16.338865995 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:16.393798113 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:17.519402027 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:17.565664053 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:25.832029104 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:25.836860895 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:25.836939096 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:25.841712952 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:26.312663078 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:26.362539053 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:26.527717113 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:26.581295013 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:26.581773996 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:26.586569071 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:26.586643934 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:26.591495991 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:38.534791946 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:38.539748907 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:38.539834976 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:38.544667006 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:39.099040031 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:39.143780947 CET	49712	7393	192.168.2.8	67.203.7.171
Jan 8, 2025 12:32:39.309623957 CET	7393	49712	67.203.7.171	192.168.2.8
Jan 8, 2025 12:32:39.362576962 CET	49712	7393	192.168.2.8	67.203.7.171

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:39.834333897 CET	51498	53	192.168.2.8	1.1.1.1
Jan 8, 2025 12:30:39.849096060 CET	53	51498	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 12:30:39.834333897 CET	192.168.2.8	1.1.1.1	0x8822	Standard query (0)	ergsea.ydns.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 12:30:39.849096060 CET	1.1.1.1	192.168.2.8	0x8822	No error (0)	ergsea.ydns.eu	67.203.7.171	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:41.130361080 CET	1.1.1.1	192.168.2.8	0x8be6	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:41.130361080 CET	1.1.1.1	192.168.2.8	0x8be6	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:30:31
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe"
Imagebase:	0xec0000
File size:	629'760 bytes
MD5 hash:	934331EDA0B472009322A97523B5BFDD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1612004323.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1613736255.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1612004323.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.1611407700.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:30:32
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe"
Imagebase:	0x310000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:30:32
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:30:32
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpED50.tmp"
Imagebase:	0x160000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:30:32
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:30:34
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xde0000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2835178825.0000000006BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	06:30:35
Start date:	08/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:30:35
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\DpmrYeeDGcj.exe
Imagebase:	0x2a0000
File size:	629'760 bytes
MD5 hash:	934331EDA0B472009322A97523B5BFDD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000009.00000002.1654251939.00000000027C5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:30:38
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DpmrYeeDGcj" /XML "C:\Users\user\AppData\Local\Temp\tmpA9.tmp"
Imagebase:	0x160000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:30:38
Start date:	08/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:30:38
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Imagebase:	0xde0000
File size:	2'625'616 bytes
MD5 hash:	0A7608DB01CAE07792CEA95E792AA866
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000C.00000002.1695309547.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	194
Total number of Limit Nodes:	13

Executed Functions

Function 05814B20 Relevance: 2.6, Instructions: 2602COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1613320664.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd073cdb67b15679048ce778876c9e9011dd85a380f6226057068e14f9262b4
Instruction ID: fc3fb521652ef91822b5779d7002277fe8aa3ed8d109d7e21180a354af3e6e84
Opcode Fuzzy Hash: ddd073cdb67b15679048ce778876c9e9011dd85a380f6226057068e14f9262b4
Instruction Fuzzy Hash: D943E674A012198FDB64DF29C888AADB7B6FF89310F558199D849EB360DB31ED81CF44

Function 05814060 Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1613320664.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be522710ba6b71eb0d5dd173a2a7a3a346ba4257d8b5ce0f1400ef7f5029b1c
Instruction ID: b5968180be7024e0e737327bfc6eb30832c1253aa3a013dbefb0a2176b26ad53
Opcode Fuzzy Hash: 2be522710ba6b71eb0d5dd173a2a7a3a346ba4257d8b5ce0f1400ef7f5029b1c
Instruction Fuzzy Hash: CC525C35A002199FDF18DF69D884AADB7BABF88710B158169EC06DB374DB31EC41CB94

Function 07A0D030 Relevance: .6, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c6168054623c47547881d148c38505fc05a3fac64358f720d51d4ca30b0e84
Instruction ID: e062958793ff12f41b6d0862d40c928b93e9b27307d8cf73eb99bfb7c7c0d98b
Opcode Fuzzy Hash: e5c6168054623c47547881d148c38505fc05a3fac64358f720d51d4ca30b0e84
Instruction Fuzzy Hash: 3132ACB5B012048FDB18DBA9D950BAEB7F6AFC9700F148869E5169B3D0CB34ED41CB91

Function 030CD309 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030CD396
GetCurrentThread.KERNEL32 ref: 030CD3D3
GetCurrentProcess.KERNEL32 ref: 030CD410
GetCurrentThreadId.KERNEL32 ref: 030CD469

Memory Dump Source

Source File: 00000000.00000002.1610952305.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c9c870eaa395051fb67a8c86994923418b237fddfe9cde798cd74629f8947ed8
Instruction ID: 89879b9edbd8defc811e88767065dfd856cf26a69eba6f926fb6a031482dad87
Opcode Fuzzy Hash: c9c870eaa395051fb67a8c86994923418b237fddfe9cde798cd74629f8947ed8
Instruction Fuzzy Hash: C15166B09113498FDB54DFAAD488BDEBBF1AF88304F20C059E419A7290D774A984CB66

Function 030CD318 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030CD396
GetCurrentThread.KERNEL32 ref: 030CD3D3
GetCurrentProcess.KERNEL32 ref: 030CD410
GetCurrentThreadId.KERNEL32 ref: 030CD469

Memory Dump Source

Source File: 00000000.00000002.1610952305.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d589dc5d1c7e89c3911ce2d02b6e1349486ff450dcd2ac0a2668ea8be6587937
Instruction ID: 45423e24c60d8e6356a139d457f93ef5efca5d1967d0b5a0ae63d0aa76145d22
Opcode Fuzzy Hash: d589dc5d1c7e89c3911ce2d02b6e1349486ff450dcd2ac0a2668ea8be6587937
Instruction Fuzzy Hash: 375165B09113498FDB54DFAAD588BDEBBF1AF88304F20C069E419A7350D774A984CF66

Function 07A07644 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A07886

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 251332505bb8ac60495b6d14ee0b245afd9965681b388283f3c560e69d3b95ef
Instruction ID: d63bb7fad8d967cf402ce511c88a0e79f16eb4db050bf46f5d39a4617e89fcc2
Opcode Fuzzy Hash: 251332505bb8ac60495b6d14ee0b245afd9965681b388283f3c560e69d3b95ef
Instruction Fuzzy Hash: 1BA14BB1D00359CFEF10CF69D844BEDBBB2BB84310F148569E859A7280DB75A985CF91

Function 07A07650 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A07886

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 33681d200d82b1acadc049deb0626644bca5b387234b048731bd35a3b1dbf0af
Instruction ID: fdacb8581db6184a7b3074bbb857d2396968218361b351c9f9d5805db3b371fd
Opcode Fuzzy Hash: 33681d200d82b1acadc049deb0626644bca5b387234b048731bd35a3b1dbf0af
Instruction Fuzzy Hash: 4C914AB1D0071ACFEF14CF69D844BEDBBB2BB84310F148569E819A7280DB75A985CF91

Function 030CB351 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 030CB5C6

Memory Dump Source

Source File: 00000000.00000002.1610952305.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cf488ea7df6af5061dae5572ca8a223b0f8daefff27036fb852e01e66abc1a25
Instruction ID: 711b31569fbcf5dcf1bb93a213d261323f20f131d6dda2ec9e1c1b93f29edab4
Opcode Fuzzy Hash: cf488ea7df6af5061dae5572ca8a223b0f8daefff27036fb852e01e66abc1a25
Instruction Fuzzy Hash: 62819770A11B848FDB64DF29D44579ABBF5FF88300F048A6ED08ADBA41D734E949CB90

Function 030C590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030C59C9

Memory Dump Source

Source File: 00000000.00000002.1610952305.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0777b95b4c665737ccf081f50b0d95dddecfe6f4ece42d46038c59c5554885f4
Instruction ID: 1d852ce928b68950ba5ca73c07ba14af7d4807e59a97265a3ba0e9afc8cd1344
Opcode Fuzzy Hash: 0777b95b4c665737ccf081f50b0d95dddecfe6f4ece42d46038c59c5554885f4
Instruction Fuzzy Hash: EB41BFB1C11719CFDB24CFAAC884BDEBBB5BF49304F24816AD408AB251DB756986CF50

Function 030C44F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030C59C9

Memory Dump Source

Source File: 00000000.00000002.1610952305.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a2b9307e8abc311207c80fc31bb29f2dd41d717ba27cdf3b96ceb6e27692f023
Instruction ID: abd9884d10a4bf8fb3b4d7ffe340e758a5208edf653473f117baf3ba5240b077
Opcode Fuzzy Hash: a2b9307e8abc311207c80fc31bb29f2dd41d717ba27cdf3b96ceb6e27692f023
Instruction Fuzzy Hash: 1A41CF70C11759CFDB24CFAAC884B9EBBF5BF49704F24806AD408AB251DB716985CF90

Function 07A073C0 Relevance: 1.6, APIs: 1, Instructions: 77
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A07458

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 815f2d9b5662a8e3f38e714a918f14f85f8f2066b7db82cc65b359304ee28695
Instruction ID: 653b98ed09ca541f1a45774b86dc04daf0ee7049727851f28f267ca76a077edc
Opcode Fuzzy Hash: 815f2d9b5662a8e3f38e714a918f14f85f8f2066b7db82cc65b359304ee28695
Instruction Fuzzy Hash: 8D214AB59003099FDF10CFA9D841BDEBBF5FF48310F10842AE519A3640C7759550CBA4

Function 07A073C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A07458

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2b6011be61b21343c4da52436157850db86e6bdfce1cac2f643efe275d9e6293
Instruction ID: ef313bda2afe6d67f06dbe5b8615f51536d5a8bd1edfc8fdf31bc49c7e02271a
Opcode Fuzzy Hash: 2b6011be61b21343c4da52436157850db86e6bdfce1cac2f643efe275d9e6293
Instruction Fuzzy Hash: 6B213BB59003599FDF10CFA9C881BDEBBF5FF48310F10882AE929A7240D7799950CBA5

Function 07A07228 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A072AE

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 307540137d19dcf2209e22fa6d7b34082e95975894531bf9bbd0321ad2be62d1
Instruction ID: af468ca2367998a98965543e704e7ea103bc9f6791148ff3bdeaa5aa04c0d6da
Opcode Fuzzy Hash: 307540137d19dcf2209e22fa6d7b34082e95975894531bf9bbd0321ad2be62d1
Instruction Fuzzy Hash: 9C213CB59003099FDB10DFAAC4857EEBBF4FF48314F14842AE419A7640D778A545CFA5

Function 030CD960 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030CD9EF

Memory Dump Source

Source File: 00000000.00000002.1610952305.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 055fd24c4d49a2942e5195eec8205d59b2b8b181fe8b8c81cabedc2c663c2328
Instruction ID: 28eb1f9347a6c8bb1ae8e59563e42ee6882b17df78674c00a199d07ef339ce11
Opcode Fuzzy Hash: 055fd24c4d49a2942e5195eec8205d59b2b8b181fe8b8c81cabedc2c663c2328
Instruction Fuzzy Hash: 4D21E4B59013489FDB10CFAAD884AEEFBF8FB48310F14801AE958A3350D374A954CFA5

Function 07A074B0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A07538

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ab01557d84437e9cf28ce50fef97703bf6aed87dc60b982c66d0e64d5380ce92
Instruction ID: 5d957d39e42e8663ea22e22b150a15b36d81c3e1f84a4696ba3b9adbd5c3efa5
Opcode Fuzzy Hash: ab01557d84437e9cf28ce50fef97703bf6aed87dc60b982c66d0e64d5380ce92
Instruction Fuzzy Hash: A82127B18003499FDF10CFA9D881BEEBBF5FF48314F54881AE959A7240C738A541CBA0

Function 07A074B8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A07538

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d3d2beb8490848910a0933460c126b0c0048c7403f392c92a938bf5154221f4d
Instruction ID: f177faada2dd985d25c256d3c900e7ee20b6ff900286df900358a32ff063c591
Opcode Fuzzy Hash: d3d2beb8490848910a0933460c126b0c0048c7403f392c92a938bf5154221f4d
Instruction Fuzzy Hash: 3A2119B18003599FDF10CFAAC841BEEBBF5FF48310F50842AE519A7250D774A541CBA4

Function 07A07230 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A072AE

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cc853b804abbbdbc014390220cc76b85d14a14c96315b196e6cd4561f5ceeb38
Instruction ID: c0843024d8e80b869ac5f52b666e2b7266185834329cfb3df1814f1cb140663e
Opcode Fuzzy Hash: cc853b804abbbdbc014390220cc76b85d14a14c96315b196e6cd4561f5ceeb38
Instruction Fuzzy Hash: D3212CB19003099FDB10DFAAC4857EEBBF4FF48314F14842AE559A7240D778A945CFA5

Function 030CD968 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030CD9EF

Memory Dump Source

Source File: 00000000.00000002.1610952305.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eb471be7c297e4d3126e704bf6adff33cdd8ee4953d8a8377e7c9d0e2977bed1
Instruction ID: a16491c58e90cfc0017640281d1c619cf92817a98668c36bf924ebfb1311a005
Opcode Fuzzy Hash: eb471be7c297e4d3126e704bf6adff33cdd8ee4953d8a8377e7c9d0e2977bed1
Instruction Fuzzy Hash: 1121D3B59013489FDB10CFAAD884ADEFBF8FB48310F14841AE958A3350D374A944CFA5

Function 07A07300 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A07376

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7c45bcc7ac0d45cc988d24005e46ff05c669853de2b34058cada29507f47f2a3
Instruction ID: 4498a6526823d02d4dca7e88b5e73f7896f75323d935ca14dfcb75d222343269
Opcode Fuzzy Hash: 7c45bcc7ac0d45cc988d24005e46ff05c669853de2b34058cada29507f47f2a3
Instruction Fuzzy Hash: 3B2158B68003499FDF24CFAAD844BDEFBF5BB48320F20881AE525A7650C735A544CBA1

Function 07A07308 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A07376

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c027e860ac1c388856d1215f685dde3857968a534080eacefc1d59d77887998
Instruction ID: 807ecf74c05ad27f41830ac824bc97fc50635a67582483e8ca39f033f2975b76
Opcode Fuzzy Hash: 9c027e860ac1c388856d1215f685dde3857968a534080eacefc1d59d77887998
Instruction Fuzzy Hash: D81126728003499FDF14DFAAC844BDEBBF5AF88310F14881AE925A7250C775A940CFA5

Function 07A07179 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07A071E2

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8a0f55d9aa605db86442cef1c66357e899264315c0bd1bf86e9f92c396956a09
Instruction ID: 1e0d1572c154f4ab46ed83d955b1169e7da3e8cf7bb628073f9a56148231780a
Opcode Fuzzy Hash: 8a0f55d9aa605db86442cef1c66357e899264315c0bd1bf86e9f92c396956a09
Instruction Fuzzy Hash: 051158B59003498FDF10DFAAC4457EEFBF4AB88320F24881AD429A7340CB756945CFA4

Function 07A07180 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07A071E2

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b10ba1bda1d38e914f4f7dcee6634028c11f1ff54e129c0d6c77b4eb3acd3dd8
Instruction ID: d7270dc17b60d69f7b0909d34d3c67406eacfefc29e1bb60f95d66ee88ea9c40
Opcode Fuzzy Hash: b10ba1bda1d38e914f4f7dcee6634028c11f1ff54e129c0d6c77b4eb3acd3dd8
Instruction Fuzzy Hash: FB113AB19003498FDB10DFAAC4457DEFBF4AF88314F24881AD429A7250CB756940CFA4

Function 030CB560 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 030CB5C6

Memory Dump Source

Source File: 00000000.00000002.1610952305.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f3341d80f4934da8375eb0143eebcc42ff74326c51811102e3047e7e947e2b8f
Instruction ID: b71037eeca4c4afe4e25645077120df68aa826721402cf67a83a556034221c8d
Opcode Fuzzy Hash: f3341d80f4934da8375eb0143eebcc42ff74326c51811102e3047e7e947e2b8f
Instruction Fuzzy Hash: 62110FB5C003498FCB10CF9AC444BDEFBF4AF88310F14851AD429A7601C375A545CFA1

Function 07A0B178 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07A0B1DD

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 851a36c3760568ff0bc856ac77b29120a881fbc33569a59def9666405201d298
Instruction ID: 4abb1f56b135a97069421f94582a5a7a1308707fa64c3b1b503c138bd00f9e78
Opcode Fuzzy Hash: 851a36c3760568ff0bc856ac77b29120a881fbc33569a59def9666405201d298
Instruction Fuzzy Hash: 9711F5B58003499FDB10DF9AD885BDEFBF8FB48310F20841AE519A7640C375A954CFA1

Function 07A03F38 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07A0B1DD

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ec0ae4b4fcd5a18ea41a63824ce49a0dec56e5226b2b4ec8006cf8724bb86594
Instruction ID: 6e73ee777945d12ba8fd6d2f740aa3fa621a499801a13c517ff3904bc8d4e4ff
Opcode Fuzzy Hash: ec0ae4b4fcd5a18ea41a63824ce49a0dec56e5226b2b4ec8006cf8724bb86594
Instruction Fuzzy Hash: 9F11F5B58003499FDB10DF9AD945BDEFBF8FB48310F10881AE565A7240D375A944CFA5

Function 019AD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1610609817.00000000019AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19ad000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec0fdf944c8d977d3b0a7a8c3457347ce482d173bf12b29cbd8990bfbefd44b
Instruction ID: 61cc5b87981868bfa0d9c15df888e38a5dc811304c40f4c9e43515afd8a9b23a
Opcode Fuzzy Hash: fec0fdf944c8d977d3b0a7a8c3457347ce482d173bf12b29cbd8990bfbefd44b
Instruction Fuzzy Hash: E72121B1504240EFDB01DF54C8C0F26BFE5FB88618F60C569E8890BA5AC336D45ACAE2

Function 019BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1610649295.00000000019BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19bd000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5d3f18fa89605ea9a70db7c1d20ea9f7aa6679a6be567391e1e787076e5152
Instruction ID: 50953d19df6796956043614ef90d61f10fe96dcdde4d3004fa716b32711ecbe0
Opcode Fuzzy Hash: 4c5d3f18fa89605ea9a70db7c1d20ea9f7aa6679a6be567391e1e787076e5152
Instruction Fuzzy Hash: A6210371504200DFDB15DF54D6C4B66BBE5FB84218F20C96DE80D0B242C336D447CA61

Function 019BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1610649295.00000000019BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19bd000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7005afffc5119dced96262ab157876a3cd0e2f9f1f6b069e2a17528aee8922a7
Instruction ID: 8df1b40812b2b6b99e6d75360c3f98f4ec3de801520bb303b4c6d6eee74142be
Opcode Fuzzy Hash: 7005afffc5119dced96262ab157876a3cd0e2f9f1f6b069e2a17528aee8922a7
Instruction Fuzzy Hash: AF21D071504284AFEB05DF94DAC0B66BBE5FB84228F20C96DE84D4B252C336D846CB61

Function 019AD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1610609817.00000000019AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19ad000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 3f534dd421f490c38eca74c0280ac6ce5e7298795b54ae526347aae34f6cd513
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 0011E676504280CFDB16CF54D5C4B16BFB1FB84318F24C6A9D8490BA5BC336D55ACBA1

Function 019BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1610649295.00000000019BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19bd000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: a25d3ea1f6d9bf2697a89aa318a7daec28fbb5618748efa30cab566085a38f4d
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: FD11BB75504284DFDB02CF54C6C4B15BFA1FB84228F24C6A9D84D4B696C33AD44ACB61

Function 019BD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1610649295.00000000019BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 019BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19bd000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: de56d8d27b660084baa319b8d43c5cae76adb3257ba03da7404ac799a059d0bd
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 0411DD75508280CFCB12CF54D6C4B15FFA2FB84318F28C6AAD80D4B656C33AD44ACBA2

Non-executed Functions

Function 07A06520 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6816b2e8e9c5d420117cfe7e68d5bd43a45a3cb5755dbe74e2065ebc40207670
Instruction ID: 5930c72b2595a546271cf5ec9a33de638cf1ee3ab0e60c75adfb76f920c9a1ef
Opcode Fuzzy Hash: 6816b2e8e9c5d420117cfe7e68d5bd43a45a3cb5755dbe74e2065ebc40207670
Instruction Fuzzy Hash: B6E105B4E002198FDB14CFA9D580AAEFBB2FF89305F248569D814AB355D730AD41CFA5

Function 07A05220 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dcd96eae5dad2f147d9548c67b982484fa15c7b419d9276e232cb2c824e2abd
Instruction ID: 9d6108c2a4bf4ceebb0a5937e7ae5109a9c0262722d024c9e15f9e0fbf3f78dd
Opcode Fuzzy Hash: 8dcd96eae5dad2f147d9548c67b982484fa15c7b419d9276e232cb2c824e2abd
Instruction Fuzzy Hash: 1EE129B4E002198FDB14CFA9D580AAEFBB2FF89305F248569D814AB355D730AD41CFA5

Function 07A04DE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c835d3c606f6e7865dc97c0589da097e5ae705a10f6e060faed801ace5cdd598
Instruction ID: 4ed3752ea2886025c060d7e9f7622209233136eaccd29691200aae5a6fd0e5c7
Opcode Fuzzy Hash: c835d3c606f6e7865dc97c0589da097e5ae705a10f6e060faed801ace5cdd598
Instruction Fuzzy Hash: 34E107B5E002198FDB14CFA9D580AAEFBB2FF89304F248569D914AB355D730AD41CFA4

Function 07A049B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62abd7d875872547665c16bc9fddccf4e44d00231e7eb295a49ead1b8eb954f
Instruction ID: af40b4de6ba618907eedb21ed0faebec1be71853f93d88b94a7bd7b9ad343f37
Opcode Fuzzy Hash: b62abd7d875872547665c16bc9fddccf4e44d00231e7eb295a49ead1b8eb954f
Instruction Fuzzy Hash: 31E13AB4E002598FDB14CFA9D580AAEFBB2FF89305F248569D914AB355C730AD41CFA4

Function 07A06958 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6343c57d0d2d7c95495e92ab41ef19690432cbb24aa1fdc36613b52c614b1224
Instruction ID: bb1d2dbd3b76585a88a54f401988ddfbd106621ceebb0dc7b445d268cf145ce8
Opcode Fuzzy Hash: 6343c57d0d2d7c95495e92ab41ef19690432cbb24aa1fdc36613b52c614b1224
Instruction Fuzzy Hash: 44E117B4E002198FDB14CFA9D580AAEFBB2FF89304F248569D814AB355D730AD51CFA4

Function 05811B51 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1613320664.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68995212bdf70663cfc55d0269673586b0926581e40a194c9daf5e2f047b0224
Instruction ID: c69e5e21a9d58061386c81835317275ab86621fcc062fae9f44b5c3577d815fb
Opcode Fuzzy Hash: 68995212bdf70663cfc55d0269673586b0926581e40a194c9daf5e2f047b0224
Instruction Fuzzy Hash: 71D11830D20B5A8BCB40EB64D8946D9B7B1FFD5200F60CB9AE44937211FB706AD8CB91

Function 05811B60 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1613320664.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5810000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db010d1d6e4a32d53be3d316aebcb3c1b25b0adfe596b9c5ee4394c0ddf7d4e9
Instruction ID: a4d3c620e18661dc4aaa7b005592e899fc12eac4afb40448a4d2a58d2f966875
Opcode Fuzzy Hash: db010d1d6e4a32d53be3d316aebcb3c1b25b0adfe596b9c5ee4394c0ddf7d4e9
Instruction Fuzzy Hash: F2D10831D20B1A8BCB40EB64D8946D9B7B1FFD5200F60DB9AE44937211FB706AD8CB91

Function 030CD88C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1610952305.00000000030C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30c0000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8540cc911893c78d0aefad5b420da2ae5cb1aaba8d6d074b261ad6253b637a
Instruction ID: 70282b5da4cf42eaa6bdfc4ba27e35bb1c7aed3b2a5a00cf6e868dc55e1d93b3
Opcode Fuzzy Hash: ee8540cc911893c78d0aefad5b420da2ae5cb1aaba8d6d074b261ad6253b637a
Instruction Fuzzy Hash: 04A15936A1124A8FCF05DFA4D8445EEFBB2FF84300B15816EE806AF265DB71A956CB40

Function 07A0650F Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1616422725.0000000007A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a00000_PEDIDO DE COMPRAS OC 1203 CRI234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e50622bd51c29d0f4bfb2cf5326799047b26a86c7500afaff9ce4f850f4538
Instruction ID: b4e9bbb6c6d3ae29c89708bca0b540e790f8079dcde52c103f84aae44de8b7b2
Opcode Fuzzy Hash: d0e50622bd51c29d0f4bfb2cf5326799047b26a86c7500afaff9ce4f850f4538
Instruction Fuzzy Hash: EC511CB5E002198FDB14CFA9D9805AEFBB2EF89304F24856AD818A7355D7309941CFA5

Analysis Process: vbc.exePID: 5484, Parent PID: 5308COMMON

Executed Functions

Function 00D65CF0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34cdb6410dc8210b72d3e842a21537f1d709bfc5b1c065e3e4504f22f16e22c3
Instruction ID: dd4c94520f68ef9f6cc81f669cfa62760fc5486db776f08135d24ed535a007a2
Opcode Fuzzy Hash: 34cdb6410dc8210b72d3e842a21537f1d709bfc5b1c065e3e4504f22f16e22c3
Instruction Fuzzy Hash: 55B15170E00609CFDF14CFA9D88579EBBF2AF88314F188529E415E7294EB759885CF91

Function 00D665C0 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaf51da4bde5244c7798538c39a6238fb4f88dd1a279be900066879dbe15c64
Instruction ID: 2cfb40b5e8f8ec5860eba6c82e442fb4c29cd67f637f3fe1cdcafeaedb5d1192
Opcode Fuzzy Hash: adaf51da4bde5244c7798538c39a6238fb4f88dd1a279be900066879dbe15c64
Instruction Fuzzy Hash: F1B16D70E00209CFDF14CFA9D8857ADBBF2AF88714F188529E815E7294EB75D845CBA1

Function 00D61727 Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

,, xrefs: 00D61870

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 5f35e96f39d8344fcd3299ebea93ad9ab13583631c04ccb9c313cbfee95b84a2
Instruction ID: 80e56b7d8be234082851f5b3423c9b973014a428fec89a70e6231a668234049a
Opcode Fuzzy Hash: 5f35e96f39d8344fcd3299ebea93ad9ab13583631c04ccb9c313cbfee95b84a2
Instruction Fuzzy Hash: 2702CC74700200DFDB04EF64D851BAE7BE2BF84714F288969E4059B3A2DF75AC42CBA1

Function 00D62DA8 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

p @, xrefs: 00D62DD8

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID: p @
API String ID: 0-1223218288
Opcode ID: ae0bd008340a2cb8222a84a82d304ecbd9b2756d5943d7e9937d34531e673d70
Instruction ID: b66915a152827fd930b035d1d306d0975354f2510696204e8cbcfabf73e39711
Opcode Fuzzy Hash: ae0bd008340a2cb8222a84a82d304ecbd9b2756d5943d7e9937d34531e673d70
Instruction Fuzzy Hash: 74919C30A053059FCB05DF68C4846AEBBF2FF85310F5586A9D815AB392DB31ED46CBA0

Function 00D69E10 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

+, xrefs: 00D6A02E

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-3952988497
Opcode ID: b13ddbb5eb90e75b441011cad20fc4e34ef16b3f7fceab7db5fc3cdc83ffb419
Instruction ID: 3d7f2af924bb9be4e891c00008ebddae04f9fa999a4b536e70d474b797a8c341
Opcode Fuzzy Hash: b13ddbb5eb90e75b441011cad20fc4e34ef16b3f7fceab7db5fc3cdc83ffb419
Instruction Fuzzy Hash: DC9156B0600300EFE714CF28E8147957BE6F785B18F18852AD440DB3A5DBB99A46CFB2

Function 00D60EB8 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

d.t, xrefs: 00D60F05

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID: d.t
API String ID: 0-955178627
Opcode ID: a1212daf5b235d237d591386d4c1d5fc48eb20d91f5484896e7ca3c816689c5c
Instruction ID: 762514b2134c6a2b43014e23d96f0196a5830b304b27d6a5e9220871e4c99f58
Opcode Fuzzy Hash: a1212daf5b235d237d591386d4c1d5fc48eb20d91f5484896e7ca3c816689c5c
Instruction Fuzzy Hash: 29518F34B102149FD754DF69C458B5EBBF6EF89700F6580A9E806EB3A5CA75DC01CBA0

Function 00D63321 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

|, xrefs: 00D63380

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: aeeefb314723feff78f919de1bcfb278defa88ea84a2d8e1c158e66773ee88f3
Instruction ID: 6d59688101b1aeab1b5487d026ce25a9c8c8fb0680d60792c2c049ada2527b26
Opcode Fuzzy Hash: aeeefb314723feff78f919de1bcfb278defa88ea84a2d8e1c158e66773ee88f3
Instruction Fuzzy Hash: 50217F74F002149FDB44DF788814BAEBBF1EF88710F108469E94AE73A0EB759901CB90

Function 00D689A4 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ad2b73b8d329a49ca62e5688435fcccf769cb341edd5639ce42670611266ec
Instruction ID: 315be80ee291d1124ba85dab6d06791da44e83115544ebfd3866d1c1e3da69a2
Opcode Fuzzy Hash: 76ad2b73b8d329a49ca62e5688435fcccf769cb341edd5639ce42670611266ec
Instruction Fuzzy Hash: 5701AD30B016419FDB549B6498166AD7BB0FB6A700F214299E046DF2E1EF708E02ABB1

Function 00D65CE4 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c1aa1b07ec5a3d6fe9a3dd683607e97d6b692f538fc1e9b0e2cb3e273f01e6
Instruction ID: 4a0b137c8264476f2a598153803efa178b9d8999fcded9c008cf004514c3a8f8
Opcode Fuzzy Hash: 22c1aa1b07ec5a3d6fe9a3dd683607e97d6b692f538fc1e9b0e2cb3e273f01e6
Instruction Fuzzy Hash: 56B14E70E00609CFDF24CFA8D88579EBBF1AF88304F188129E415E7294EB759985CFA1

Function 00D665B6 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb41ab9f9982edf7cf89e78720708d9b01729827294346bc6e209a142ebefdf2
Instruction ID: 7e616c3bbb5c148ca8a37cb640a304809e5f5dd8a801f92092ebcfdfde40a925
Opcode Fuzzy Hash: eb41ab9f9982edf7cf89e78720708d9b01729827294346bc6e209a142ebefdf2
Instruction Fuzzy Hash: 24B14C70E00209CFDF10CFA9D88579DBBF1AF88714F288529E855E7294EB75D845CBA1

Function 00D6A208 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4691e244b6e7d1272466d1a3194c72b196ba8013dd5a8b2342d25755ddc1fc
Instruction ID: 8a7cbad66f97daee2630c8a37b88e1d558bb5cc5c2a1afbb5f9909917e93c227
Opcode Fuzzy Hash: fb4691e244b6e7d1272466d1a3194c72b196ba8013dd5a8b2342d25755ddc1fc
Instruction Fuzzy Hash: 69A158707013459FCB09EF38D4656ADB7E2FF89714B108569D806AB391EF389D068FA2

Function 00D62A20 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f74876dc706812f8a838e0676d23e1473cf70b625e70fc41bb02d1317a133f
Instruction ID: d629e3f163fd10cddec7c5883432ce6c02d2d72dc86391174e636ef30c238712
Opcode Fuzzy Hash: b4f74876dc706812f8a838e0676d23e1473cf70b625e70fc41bb02d1317a133f
Instruction Fuzzy Hash: 3DA18D74601341EFDB05EF30E454A9D7BB2FB84720B208669D5068B362EF799D46CF90

Function 00D62A30 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58fcb4ee3ff619d20d9007144d8af708bd9e3c8f98266e2fe194232efca8dff
Instruction ID: 82621508ea5725a5f1c1dca446078e799fab28ac59d54e861ad78bea854871af
Opcode Fuzzy Hash: f58fcb4ee3ff619d20d9007144d8af708bd9e3c8f98266e2fe194232efca8dff
Instruction Fuzzy Hash: 25A16C74601341EFDB05EF34E464A9D7BB2FB84720B208669D5068B362EF799D46CF90

Function 00D61962 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf970618f7823861046afe565382456b2cf4a34a9eb032d69ee313af9f083b10
Instruction ID: 5cc9391fca870b13c609dafa909183db4b79678b208206b2e8fbccb6c44cde6d
Opcode Fuzzy Hash: bf970618f7823861046afe565382456b2cf4a34a9eb032d69ee313af9f083b10
Instruction Fuzzy Hash: 6661ACB47003009FE704DF28D851B9A7BE3FB88B14F248568E5059B3A2DF75AD058BA1

Function 00D60D20 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14b0830f89d5fbc555ebeea83967f2fb0db5f6984e111506622118bc1c23b53
Instruction ID: 64313ab37b691a9cf08d65546adf1321f83b9f1eb6f336eb87001188dcaf7adb
Opcode Fuzzy Hash: a14b0830f89d5fbc555ebeea83967f2fb0db5f6984e111506622118bc1c23b53
Instruction Fuzzy Hash: EE41BD31B042049FDB15DF68D454B9EBBF6EF89300F1984A9E406EB3A2CB759C05CBA1

Function 00D69BB8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718ec64655fee53ff2aa8c17cebaf9e297a10bb3cb5a3e1148eac750f9a234e1
Instruction ID: e2b35b479f12b436a66f2b33f24f30cd041770e5fb010243f254cb0e6622c60a
Opcode Fuzzy Hash: 718ec64655fee53ff2aa8c17cebaf9e297a10bb3cb5a3e1148eac750f9a234e1
Instruction Fuzzy Hash: A1518E34600204DFE714DF25D9A9BA9BBF6BF88714F2581A9E5029B3E1CB75AC41CF60

Function 00D637F8 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476e1e5626ee5c212f60b98b8700a4fd1acf2754228983bd62f3e06296cfce2b
Instruction ID: 3ecc84294757634d56048fd5651ab6bf2d00a6a7570cf3b3ef0771904216bb9c
Opcode Fuzzy Hash: 476e1e5626ee5c212f60b98b8700a4fd1acf2754228983bd62f3e06296cfce2b
Instruction Fuzzy Hash: 3F41AE30B002488FDB24EB7994547AEBBE6EBC9310F14842ED01A97380CF749905CBA1

Function 00D6942A Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed54ce4e51f4407dd7aaae07a824418329400613e23709fb26422e7c7a82400
Instruction ID: caf1c6b61b9e629406e045b16cf18120d2252e1c9ea554420133d049f087a673
Opcode Fuzzy Hash: 5ed54ce4e51f4407dd7aaae07a824418329400613e23709fb26422e7c7a82400
Instruction Fuzzy Hash: 09419174600155DFCB14EF68C994A6EFBB2FF44300F1580A9E806AB3A2D731EC01CB61

Function 00D60AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148c648d9236b17c92897431802a65bdab3fd9e8430e30e369928196168e89f9
Instruction ID: c07653d2005505fa589ecc44520aec074931a5b66427f689872f6062ae8ccb88
Opcode Fuzzy Hash: 148c648d9236b17c92897431802a65bdab3fd9e8430e30e369928196168e89f9
Instruction Fuzzy Hash: 7751B730502201EFDB05DF24F8669997BF3FBC46197508669D4018B36AFB39AD46CFA2

Function 00D61339 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6d15c147c14f63160fa22c02dd4889b1f657a694431b0b8e86dd4bb59e9dde
Instruction ID: b8a99c664e016201de16961e924f4e53e36f16990b8091fc03ac7d5512715166
Opcode Fuzzy Hash: ed6d15c147c14f63160fa22c02dd4889b1f657a694431b0b8e86dd4bb59e9dde
Instruction Fuzzy Hash: 5831C034B012568FDB449BB894656AEBBF6FFC9210B18416AE546DB391DE318C0287A4

Function 00D611D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fe4e6371412df3413102e28a45de180c22ccfcdb2d8a50efb042b3a9524fb6
Instruction ID: 8c09a4c9c174a99120209608534784e090f66d2341b30674cd51db85bc0beeea
Opcode Fuzzy Hash: 17fe4e6371412df3413102e28a45de180c22ccfcdb2d8a50efb042b3a9524fb6
Instruction Fuzzy Hash: D441A370A00209AFCB04EFB9845576EBBFAEFC8700F24C169D44AD7345DA349D428BA5

Function 00D69278 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33b310be21774e3fde7f10a2027f217deaaefc6709f4fcc29b73e18de0bfc37
Instruction ID: 14cbc13df209f72ebc83b75f1e3271500e8d7792c7b0a4971f67418bf893dfec
Opcode Fuzzy Hash: d33b310be21774e3fde7f10a2027f217deaaefc6709f4fcc29b73e18de0bfc37
Instruction Fuzzy Hash: 1E416B30708601DBC76C5B59946862DFB7AFBC4701338C566E4468B7A4CB36DC23EBA6

Function 00D69261 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81d3a73d66bceabf1a45db2e664918b943658ff8b940287206b873e12ac799e
Instruction ID: 8dc94c0cea0628305a9159845ea964f38cd4ab71bb77466680fcc8f6cb5c8363
Opcode Fuzzy Hash: d81d3a73d66bceabf1a45db2e664918b943658ff8b940287206b873e12ac799e
Instruction Fuzzy Hash: 1341AD30608641DBC72D5B55946862CFB7ABBC4701338C56AE046CB7A4CB36DC23EBA6

Function 00D64206 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b7bdd957d4277f23339d5016fc7e4a1c2d967316e1327669193547e111373b
Instruction ID: f6690f050fa318d53939510486a380b7b1b9b2e91654a344a910f085f59de3ea
Opcode Fuzzy Hash: 08b7bdd957d4277f23339d5016fc7e4a1c2d967316e1327669193547e111373b
Instruction Fuzzy Hash: CA411EB4D0134CDFDB10CFA9C884ADEBBF5BF48304F208029E819AB250DB75A945CB94

Function 00D64210 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3be4db51b6abc20f12cf80fd1f1c364858f42b56deb86fc03710490422a3d94
Instruction ID: 242cd1bdf7d5b565cc3c5541fcfb443d89fddba6e36f157775d7671856da2fd8
Opcode Fuzzy Hash: d3be4db51b6abc20f12cf80fd1f1c364858f42b56deb86fc03710490422a3d94
Instruction Fuzzy Hash: 7941FEB4D0134CDFDB10DFA9C890ADEBBF5BF48314F24802AE819AB250DB75A945CB94

Function 00D60D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4963263f3c1fa6c3f052ecc2a514916ecce13ce823604fec3b3a3d6abd9ce5
Instruction ID: 99f7eb6dd3ff46c2fb42a99b295a12b1e7216115b69d1cc49073c20e3ec65e96
Opcode Fuzzy Hash: 0f4963263f3c1fa6c3f052ecc2a514916ecce13ce823604fec3b3a3d6abd9ce5
Instruction Fuzzy Hash: 69315B71A002049FDB14DF69C458B9EBFF6FF88300F188569E405AB3A1DB75AD44CBA1

Function 00D0D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834469329.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d0d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78284313706f9f726160c16944eb52389facd61de1ab84ff71ffb8d183e95f97
Instruction ID: 6d3e1669284100e79d2cb3ee21428cf9f99031bcef0345dbcfbf122f7bb9fb1f
Opcode Fuzzy Hash: 78284313706f9f726160c16944eb52389facd61de1ab84ff71ffb8d183e95f97
Instruction Fuzzy Hash: 90210671504240DFDB05DF94D9C4B26BBA6FB94318F24C56AED0D0B296C336D856CBB2

Function 00D60998 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1040012edab25404fdbe16475cb0c78654a6d49e91712e76dfeb55ba5bd7591
Instruction ID: db53e43b157cefa921adce1225320c091dcb49da2c4351ca7571a892c3f11a67
Opcode Fuzzy Hash: f1040012edab25404fdbe16475cb0c78654a6d49e91712e76dfeb55ba5bd7591
Instruction Fuzzy Hash: 8B217F30715742DFDB689BB4A81966F3FA5AF54385B18846EE843C3291EF38C901CB71

Function 00D609A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c1d3d40a9515f7d0a06e3e0f90281d32a76eda30d9df7602f28311a8a2bd1c
Instruction ID: 87774a2b7809c4ada601d78fa0065558e97059da36776e9320467cba58850ef6
Opcode Fuzzy Hash: 79c1d3d40a9515f7d0a06e3e0f90281d32a76eda30d9df7602f28311a8a2bd1c
Instruction Fuzzy Hash: F0214930611307DFDB68ABF5A81966F3EA9AB44384B18842DA842C2251EF38D901DB72

Function 00D68FF2 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd6bf4aaca81e55fe0dd7253585dc0c8059e17bdc56c5f9a32ebb57e132145c
Instruction ID: a9d0c2b884664b107543d0086b5040d68f83f90e02936f94ebdab2bf57e918c0
Opcode Fuzzy Hash: 5bd6bf4aaca81e55fe0dd7253585dc0c8059e17bdc56c5f9a32ebb57e132145c
Instruction Fuzzy Hash: 36215C30601215CFCB18EB74D5656AE7BF6FF89714F144428D402AB361DF769C46CBA1

Function 00D69190 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2b7837908b99c6bb78cff2d452f68d4605c2f736febc41d2289ac63346235e
Instruction ID: 24c1df7e35431d98bdce4bf57d6c58c2fef83008fcf3bb2273b9f265d2f961ca
Opcode Fuzzy Hash: ff2b7837908b99c6bb78cff2d452f68d4605c2f736febc41d2289ac63346235e
Instruction Fuzzy Hash: 392193307101149FDB149B68C828BADB7FAAF8DB10F24815AE406EB3B1CF758C058BA5

Function 00D69E6B Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302da898fbb5b21d7d0c744cd194cfb7064106ace0222bab0b0162f2c4b4af98
Instruction ID: fd04f88f294b445fb35169d33dff71ddf9be9e90091d0fc2be178f9887731a36
Opcode Fuzzy Hash: 302da898fbb5b21d7d0c744cd194cfb7064106ace0222bab0b0162f2c4b4af98
Instruction Fuzzy Hash: CA2157F5A01300EFE714CF28E8547947BE2B785B14F09856AD840C73A6DB759A46CFB2

Function 00D6A1FA Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1ebdba26bb01100cd98c07da9a65d05880d27b4e1582013e8c6cef78e4c57c
Instruction ID: 299a9a000f95971cf9d14d96f437e2f4cf59111106cb421ccf0f46a2308e6ebf
Opcode Fuzzy Hash: 2b1ebdba26bb01100cd98c07da9a65d05880d27b4e1582013e8c6cef78e4c57c
Instruction Fuzzy Hash: 5B11CE347012405BCB49AB78D8666AE37EAEBC97147008539CD0AD3385FF759D0A8BE2

Function 00D69697 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd74986cad4ed025d76d0ffd3ed69041d083990ec98fba22516e3362fb3acf3
Instruction ID: 279cb66bbdc1e87c9f9fffb34295f2a48a4f65bf42eb2be04a5404be012b6179
Opcode Fuzzy Hash: 9dd74986cad4ed025d76d0ffd3ed69041d083990ec98fba22516e3362fb3acf3
Instruction Fuzzy Hash: 89113074B502449FDB189F69C865B6DBBF6AF89710F14406AE902EB3A1CAB59C01CB60

Function 00D6B5B0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102ca36192ffd909cb9a33a8a78d06d4ae93a1370b9e435304e70450bf2f40c5
Instruction ID: 56d91be9f0de7d3100a20d2ec4442caa6efea81aeeb2926aa5eef95cc6807ee5
Opcode Fuzzy Hash: 102ca36192ffd909cb9a33a8a78d06d4ae93a1370b9e435304e70450bf2f40c5
Instruction Fuzzy Hash: 3C110370A002459FCB41EB38D8066DEBBB1EFC1714F508769D5058B282EF759906CBF2

Function 00D696A8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53833500cb3cceb91080ff2f9772863dc6b6cfb4f177919345d7e299a2661fee
Instruction ID: 59f2a836d58812cb8e7a667fcd1a281ba8f6050c812baac686fea4dc778584ca
Opcode Fuzzy Hash: 53833500cb3cceb91080ff2f9772863dc6b6cfb4f177919345d7e299a2661fee
Instruction Fuzzy Hash: 65114234750104DFDB149F69C895B6EBBF6EF88710F144059E902AB3A5CEB59C01DBA0

Function 00D0D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834469329.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d0d000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 77af06918e5e32ca90c6d8be6312076b8d0029e6f320f7155ab430a073ab0bb9
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 1611D376504240CFCB16CF54D9C4B16BF72FB95328F28C5AADD090B656C336D85ACBA2

Function 00D61431 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 220e2c528777df9dc426ae619332ea46db4dcc25e168b0b4fc67db5ec00e53a2
Instruction ID: 638096f8f1b852b3ee887fa8b1e2c2bbd23c38c8192d13bcbd59d9dd034a8679
Opcode Fuzzy Hash: 220e2c528777df9dc426ae619332ea46db4dcc25e168b0b4fc67db5ec00e53a2
Instruction Fuzzy Hash: 1211CE30A01241CFCB44DBB8C61856ABBF2AF893007590479D806CB351EB31EC02CBA0

Function 00D61440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbd6da8adf79b92a28b4af468609109eaf36a838063f3880d00ae04baa78483
Instruction ID: 195095c02c266a2016d4f3b93ffb010b4e11b37a98dd39c6bf251fe6a10742e0
Opcode Fuzzy Hash: dbbd6da8adf79b92a28b4af468609109eaf36a838063f3880d00ae04baa78483
Instruction Fuzzy Hash: B111C030B01205DFCB48EBB9CA1966A7BF6AF88714725047DD40ADB311EE31EC02CBA0

Function 00D6A5D0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b30a6cac1862b028137fd9a902cdb775eb0a9d63f18c8223e346cda2ae613df
Instruction ID: b4bc232ebd681394178c42f7181462ea85274de6999d1a2da87d5cf82193d4bf
Opcode Fuzzy Hash: 7b30a6cac1862b028137fd9a902cdb775eb0a9d63f18c8223e346cda2ae613df
Instruction Fuzzy Hash: 1111A5317401149FDB149B58C958BAEBBF2AF8C710F244159E406E73A1CFB58C05CF95

Function 00D6B5C0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0cba623591af283f16250459be7cb037becf80b78a0a0a40fe2e0467610b19
Instruction ID: 31b936a7603790ee44fbdb62abc711c33b6adf3bcdf8b02c9550041ddd5a097b
Opcode Fuzzy Hash: 3b0cba623591af283f16250459be7cb037becf80b78a0a0a40fe2e0467610b19
Instruction Fuzzy Hash: C611C1706002459BCF41EB38D41269EB7E1FF81724B108769D1058B282EF759A06CBF2

Function 00D637E9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4dbf1636b20ae2721d1382b9a3b748f34bc6319677dc597a24ad4c5483479f
Instruction ID: f694d1bab1ff1f12203f92b81b3e68d460d03db553408f4e5db8e9be0496635a
Opcode Fuzzy Hash: 4f4dbf1636b20ae2721d1382b9a3b748f34bc6319677dc597a24ad4c5483479f
Instruction Fuzzy Hash: 7901A2317052404BCB25A738A9A477EB7E7EBDA355B19443DE40AC7742DF74CC068761

Function 00D60E3F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4b0267144cd133a2d99cdc7b14a013ead2f1e981c6eaf8247a761ca6ac0166
Instruction ID: ff98413235421badddf8e614826c65bd386eae7bdb66df7727ae78f25a6ba3e8
Opcode Fuzzy Hash: 6a4b0267144cd133a2d99cdc7b14a013ead2f1e981c6eaf8247a761ca6ac0166
Instruction Fuzzy Hash: 23F0C8307043505FC3499B3D681566E3FEBDFCA25075A44B6E109CB3D2DE298C0687B1

Function 00D68CD8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae1d3c74dd1c32045e76792fdb51a83d155d4cc5d714fd4ca3b7f0d929274e4
Instruction ID: fa8634ab45cfbb6512093f6fc65d6d06227ffb63dce24f0c358a9413e1319f43
Opcode Fuzzy Hash: dae1d3c74dd1c32045e76792fdb51a83d155d4cc5d714fd4ca3b7f0d929274e4
Instruction Fuzzy Hash: 57018171B001159FCB44EFA8D8127AE77B5FB49710F1042A9E509DB291EF709E019BF1

Function 00D68D60 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fc55f568e6a6894b4810a7a07cd8101cef4d1fc6f52f1246f628f5e06ed730
Instruction ID: 9a52e0e99f588f57db2a32a574d44074026b5a6f4cb648d0b7048b9bf21006ce
Opcode Fuzzy Hash: b5fc55f568e6a6894b4810a7a07cd8101cef4d1fc6f52f1246f628f5e06ed730
Instruction Fuzzy Hash: C71100B5900348CFDB20CFAAD485BEEBBF4EB48314F20841AD429A3650C774A944CFA1

Function 00D68D68 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc831e3164ca868ab38c42ac689aa653e2d507ea536c3187a8b73620285027a
Instruction ID: e16492824002b1e988a1ade4323f732cb188cabc08247d4ff1bb350d0ba04f70
Opcode Fuzzy Hash: 2bc831e3164ca868ab38c42ac689aa653e2d507ea536c3187a8b73620285027a
Instruction Fuzzy Hash: 2A111EB58003488FDB20CF9AD484BDEBBF4EB08324F20841AD529A3740C774A944CFA1

Function 00D6887F Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece2efa1cf9de9c8e7cd7b49772b385b772b622cca74a1e5f25f99a09bd0599e
Instruction ID: 8cee532a88403640d084a25bf42361e531e5b152a9d33b644e596c7ea9455778
Opcode Fuzzy Hash: ece2efa1cf9de9c8e7cd7b49772b385b772b622cca74a1e5f25f99a09bd0599e
Instruction Fuzzy Hash: 3FE092216411519FC708ABB8E41D5983FE4EF8A310B9800E6D105CB7B2EE68CD0193B1

Function 00D625F1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c812ecae4ed2291db5fe37d039fd5df741af2d82631366878b68c02bcd0df2
Instruction ID: e06e19cccd3fcb9e5612b688d7684d97b3ecffc167e3b44cdc76eb023f5cbb62
Opcode Fuzzy Hash: 18c812ecae4ed2291db5fe37d039fd5df741af2d82631366878b68c02bcd0df2
Instruction Fuzzy Hash: 31D0C731154614DFC344DF59E455D827BBAFF45604F41009DF5055B663C721BC20DBA5

Function 00D60A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5201777b789978eeb51db428bd70b35095c4056dbe38b3767299ccebdfc609
Instruction ID: 9a2acde7e76014ab91cc8b599d184ad0a363e183441b856d9bb8afc1225f2a89
Opcode Fuzzy Hash: fe5201777b789978eeb51db428bd70b35095c4056dbe38b3767299ccebdfc609
Instruction Fuzzy Hash: D3C08C3412A34BEFE3102BE0E808BAD3D61ABD0381F548015E092C1260CE784812433A

Function 00D60A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c91d4fbfd6834e8055552143155012410b18c7ef09c157a885aebd7b8298161
Instruction ID: 0d01c340dc58df473eca577c330f8dfa279bca1ce6003ec59655c0201761c9f4
Opcode Fuzzy Hash: 1c91d4fbfd6834e8055552143155012410b18c7ef09c157a885aebd7b8298161
Instruction Fuzzy Hash: 71C08C3012A78AEFEB101BE0E808BAD3E61A7D0381F54801AE092C0260CE784812873A

Function 00D62600 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2834734451.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d60000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761cc6f3040006512f9a2f654cb6b68ec9b1c5222b70c44ecfaaacece14b5851
Instruction ID: 48b918af327e233c0c091df5e563082373411ecd6df75d50d6ca3ab8efd1a4e5
Opcode Fuzzy Hash: 761cc6f3040006512f9a2f654cb6b68ec9b1c5222b70c44ecfaaacece14b5851
Instruction Fuzzy Hash: 7EC04835260208CFC244EB99E599C12BBE8BF58A0434100AAE5018B722DB21FC10DA66

Analysis Process: DpmrYeeDGcj.exePID: 4136, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	258
Total number of Limit Nodes:	10

Executed Functions

Function 04C94B11 Relevance: 2.9, Instructions: 2879COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d985fc4d0fc147b04b75ad54fef5acb577588a5ed3f81d05f6ee8e8b2dcb34
Instruction ID: 1db0b6293f3eb8b977cb0ab2c1c1796eef85b1ca2e70306017cad0d270bb8083
Opcode Fuzzy Hash: 94d985fc4d0fc147b04b75ad54fef5acb577588a5ed3f81d05f6ee8e8b2dcb34
Instruction Fuzzy Hash: 8153D775A01219DFDF64DF28C888A9DB7F2BF88310F558595E419AB2A1DB34ED82CF40

Function 04C97718 Relevance: .8, Instructions: 787COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab34430cf583d7d6dcbdde93e0fe9c09111be574e8775466c13fe0464f7e6bd4
Instruction ID: 4c33f8ad69cdc8ca48e5c49b9495cb7299e2b7dcd2dce37743ee27ca0e6976cc
Opcode Fuzzy Hash: ab34430cf583d7d6dcbdde93e0fe9c09111be574e8775466c13fe0464f7e6bd4
Instruction Fuzzy Hash: FF52A234B12205EFDF19DF69C858A6E7BE3AF88700B1944A9E406DB361DB31ED41CB91

Function 04C94060 Relevance: .7, Instructions: 723COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628d34ea43f2df650a4a2465547b1477e1d4621f030d81fb128c6b5dcc3fa72f
Instruction ID: 185a4fa98d8474f86b0f22fde204c4733f9ca17cae367e3ebde2b36bf2aa234e
Opcode Fuzzy Hash: 628d34ea43f2df650a4a2465547b1477e1d4621f030d81fb128c6b5dcc3fa72f
Instruction Fuzzy Hash: F1526A34A04215AFDF18DF69C888AAD77F7BF88710B158169E806DB364DB31ED42CB94

Function 06E87644 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E87886

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 79a5ed955d92823315555b36becb39e22f34d24c779c22d9827a59915d62abee
Instruction ID: 3fc3c047dc243eaae50ee1a55bede72152f2aa6e9cdff4d8f4f1569fa3bacd4f
Opcode Fuzzy Hash: 79a5ed955d92823315555b36becb39e22f34d24c779c22d9827a59915d62abee
Instruction Fuzzy Hash: EA914971D007198FEF50DF68C841BDEBBB2FB48314F248569D818A7280DB759985CF91

Function 06E87650 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E87886

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ac6a050d0aada5a2aaef2b9d0471cfdf327648df6eed418913ac460eddb84b26
Instruction ID: 22ca389b511074f9ff582eab9d33e40de017cbbccc00bb730b5948fc8ac03187
Opcode Fuzzy Hash: ac6a050d0aada5a2aaef2b9d0471cfdf327648df6eed418913ac460eddb84b26
Instruction Fuzzy Hash: BF913871D007198FEF60DF68C841BEEBBB2EB48314F248569D818A7290DB759985CF91

Function 025AB360 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025AB5C6

Memory Dump Source

Source File: 00000009.00000002.1654032207.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_DpmrYeeDGcj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6c3f1e0121c65102928ef052bb8a765c69362f994cbc2c11992c7fa02e891fa5
Instruction ID: f4781f825617d496d99b181ceb923c8fd75b844693cb56813e669c638f4a7cf8
Opcode Fuzzy Hash: 6c3f1e0121c65102928ef052bb8a765c69362f994cbc2c11992c7fa02e891fa5
Instruction Fuzzy Hash: 19815770A00B058FDB24DF2AD55179ABBF2FF88308F10892ED48AD7A40E774E945CB95

Function 025A590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025A59C9

Memory Dump Source

Source File: 00000009.00000002.1654032207.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_DpmrYeeDGcj.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cc93dbc8d913f0332d6f8e60d44da17c8e0bcb9433a2c9e02de82be4c86ab5e7
Instruction ID: 99789ca80a777a1919bc3cc7318b97a6d4273445dec15d7c800e8e77e7f7882f
Opcode Fuzzy Hash: cc93dbc8d913f0332d6f8e60d44da17c8e0bcb9433a2c9e02de82be4c86ab5e7
Instruction Fuzzy Hash: 3241C270D00719CFEB24CFAAC885BCEBBB5BF49704F60806AD409AB250DB756949CF50

Function 025A44F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025A59C9

Memory Dump Source

Source File: 00000009.00000002.1654032207.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_DpmrYeeDGcj.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2e37e35f3a3d0b39a9eb59930d45f9983371cf8280c8cdd192b77dfc7050933f
Instruction ID: 6ece4c263747cf7e2de17c3e387b7b1ebacb27f564d020a1f4a21e899395f23a
Opcode Fuzzy Hash: 2e37e35f3a3d0b39a9eb59930d45f9983371cf8280c8cdd192b77dfc7050933f
Instruction Fuzzy Hash: F641CF70D00719CFEB24CFAAC885BCEBBB5BF49704F60806AD409AB251DB756949CF90

Function 06E873C0 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E87458

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1bc4039358bdeac7cba95928890762ff69f12e17d8c9db9be7b9322443f9f54d
Instruction ID: 908cc0a35a7b1f644404943f06b02a71656134255f04ca304feebc41b9a2e1b8
Opcode Fuzzy Hash: 1bc4039358bdeac7cba95928890762ff69f12e17d8c9db9be7b9322443f9f54d
Instruction Fuzzy Hash: 212146B29003098FDF00CFA9C981BEEBBF5FF48310F14842AE918A7240D7789550CBA4

Function 06E873C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E87458

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 51cacc6f6d3291204c42bf437277900b8ec78bf64092096b6f95c64f7add5112
Instruction ID: 8e1a61d266a4f0844111eb4650694a1e88ba41be04d9597941ee169b5a1344a5
Opcode Fuzzy Hash: 51cacc6f6d3291204c42bf437277900b8ec78bf64092096b6f95c64f7add5112
Instruction Fuzzy Hash: FA2136719003599FDF10DFAAC881BDEBBF5FF88310F10842AE918A7240D7789951CBA4

Function 06E87228 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E872AE

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a37445c3d2831162f5a0adbe41baf8965dc86b5767ad5eb931ba02de15f26f22
Instruction ID: 99bd52f6746efe16007fd9bd3defb365eff6e9d3e9afec3bbba0d41a43bd09a9
Opcode Fuzzy Hash: a37445c3d2831162f5a0adbe41baf8965dc86b5767ad5eb931ba02de15f26f22
Instruction Fuzzy Hash: 282139719003099FDB50DFAAC4857EEBBF4EF48314F14842AE519A7240DB789944CFA5

Function 025AB350 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025AD526,?,?,?,?,?), ref: 025AD9EF

Memory Dump Source

Source File: 00000009.00000002.1654032207.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_DpmrYeeDGcj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7db5a541e6de13ccdc1809d419c48404959b8e724f34a2ae1047235c14498287
Instruction ID: 4324d7ea18e5bab8a9ff802cb4a60902af50cd347cb798b2f54891caa7226fbc
Opcode Fuzzy Hash: 7db5a541e6de13ccdc1809d419c48404959b8e724f34a2ae1047235c14498287
Instruction Fuzzy Hash: 2F21E3B5901348AFDB10CFAAD984ADEBBF8FB48310F14841AE914A3350D374A950CFA5

Function 025AD960 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025AD526,?,?,?,?,?), ref: 025AD9EF

Memory Dump Source

Source File: 00000009.00000002.1654032207.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_DpmrYeeDGcj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1efb7774bf14fcf8a037d4b80428384fd7a16819ee2bf6409368f28de49170a8
Instruction ID: ae3b2283643b0f23ee4f0e883a1ac473e394d86398c052e12decda49c6f22cb1
Opcode Fuzzy Hash: 1efb7774bf14fcf8a037d4b80428384fd7a16819ee2bf6409368f28de49170a8
Instruction Fuzzy Hash: 8D21E4B59013489FDB10CFAAD985ADEFBF8FB48314F14801AE958A3350D378A950CFA5

Function 06E874B0 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E87538

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f70f3fa3a0d19ad8d144dcc24d63f212275efc16e58c544c9da891326c5aed55
Instruction ID: 67e7846206e55a5a4537720e50e7075767d601f44ce161e0fd3be34f3cb85913
Opcode Fuzzy Hash: f70f3fa3a0d19ad8d144dcc24d63f212275efc16e58c544c9da891326c5aed55
Instruction Fuzzy Hash: A62125B28003498FDF10CFA9C981BEEBBF5FF48314F14842AE918A7250C7789540DBA4

Function 06E874B8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E87538

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 377522d996243e841674661cf61070ad441e1e614fc9406ba686a107a78284e5
Instruction ID: f6e96f79cf0883266f7787bc5e9c7c8913b69fda5192a86102d076758010d365
Opcode Fuzzy Hash: 377522d996243e841674661cf61070ad441e1e614fc9406ba686a107a78284e5
Instruction Fuzzy Hash: A62125B18003499FDF10DFAAC881BEEBBF5FF48310F50842AE918A7250D7789940DBA4

Function 06E87230 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E872AE

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ae61b17ec08a63ce897c5c915f99598b05500fd78ecb4d60a360d2799a7d0a9d
Instruction ID: 5eeba0c72b913f7d55569e38bf8eca1a8b917980b525e47da9dfee71c6b9bd5a
Opcode Fuzzy Hash: ae61b17ec08a63ce897c5c915f99598b05500fd78ecb4d60a360d2799a7d0a9d
Instruction Fuzzy Hash: B4212971D003098FDB50DFAAC4857EEBBF4EF88324F14842AE519A7240DB789945CFA5

Function 06E87300 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E87376

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 75135da7ba6a4e00968a2707a6048bcfbce9c055833c0cdb7e0a239cd75f7dd8
Instruction ID: 4c7af02004007a106bddfdfcbc6f3ea730a6709f9bb53cb66b304a5021c66169
Opcode Fuzzy Hash: 75135da7ba6a4e00968a2707a6048bcfbce9c055833c0cdb7e0a239cd75f7dd8
Instruction Fuzzy Hash: 1D116AB68003088FDF10DFA9C8457EEBBF5EF48310F14881AE519A7650C7399550CFA0

Function 06E87308 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E87376

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aef234baa2ac3bc3503df137f02df3c5acb57a94356e4a01b4da218c6f07ca6f
Instruction ID: a4b3fda2336f873f0ea27aa86f703a04634e1641c27484ebc1302b79b43359ba
Opcode Fuzzy Hash: aef234baa2ac3bc3503df137f02df3c5acb57a94356e4a01b4da218c6f07ca6f
Instruction Fuzzy Hash: ED1114728003499FDF10DFAAC845BDEBBF5AB88310F24841AE919A7250C775A950CBA5

Function 06E87180 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E871E2

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 530d1b95c11eb4eecc9f7bee902105c9ea4dffeb8ab72d65a765e4c2ebb65c21
Instruction ID: d34f6a3f8bc8a9131a998bc3215a8bf34f39cb62e6f606e3a3fe98d435a284cd
Opcode Fuzzy Hash: 530d1b95c11eb4eecc9f7bee902105c9ea4dffeb8ab72d65a765e4c2ebb65c21
Instruction Fuzzy Hash: B51128719003498FDB10DFAAC84579EFBF4AB88214F24841AD519A7640CB79A544CBA4

Function 06E87179 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E871E2

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b6db548fd8c70e1ddf51211267e832fbb79b87376af991027d13288f2d850c4f
Instruction ID: 91b590462c9b99b55cc9c61dceb3ad2d809d954b2d238c972abbe506289af9de
Opcode Fuzzy Hash: b6db548fd8c70e1ddf51211267e832fbb79b87376af991027d13288f2d850c4f
Instruction Fuzzy Hash: 31113AB2D007498FDB10DFAAC8457EEFBF4EF48214F24841AD529A7640DB79A544CF94

Function 06E83F38 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E8A46D

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c6847ebd6e5116234555419854137d75a8cb5a719a6cf3730b576025cae7cf70
Instruction ID: 3296e7f3b66b92ebf407c493b93a29e74588b9530b18a5f5223ed06c3d737a1d
Opcode Fuzzy Hash: c6847ebd6e5116234555419854137d75a8cb5a719a6cf3730b576025cae7cf70
Instruction Fuzzy Hash: 871106B58003489FDB10DF9AD849BDEBBF8EB48314F10841AE518A7200D775A944CFA1

Function 025AB560 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025AB5C6

Memory Dump Source

Source File: 00000009.00000002.1654032207.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_DpmrYeeDGcj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8a4b961bfc2afa59bbfaf727e48e1f6a317b151968b4db0b84c4b16ee6baae60
Instruction ID: 5e2b67a5f7921572b2e07dc26d62bf30da08909226c47b3f744fcfae3970628f
Opcode Fuzzy Hash: 8a4b961bfc2afa59bbfaf727e48e1f6a317b151968b4db0b84c4b16ee6baae60
Instruction Fuzzy Hash: 4A11DFB5C006498FDB14CF9AD444ADEFBF4AF89314F10841AD829A7610D379A645CFA5

Function 06E8A408 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E8A46D

Memory Dump Source

Source File: 00000009.00000002.1658832800.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e80000_DpmrYeeDGcj.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 88a568786b53f354d26298392a7f43fcb46969fbe7dc293c6978bcefc026f5c4
Instruction ID: a6b586e2d213331cc7e79035a0d4fa6db45b42c28ca9ef251cef6124a377a4a0
Opcode Fuzzy Hash: 88a568786b53f354d26298392a7f43fcb46969fbe7dc293c6978bcefc026f5c4
Instruction Fuzzy Hash: 001115B6C00308DFDB10DF9AD985BDEBBF8EB48310F20841AE518A7240D374A644CFA1

Function 04C9FC38 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 04C9FC6A

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c048583cbd41c83a608cdd884724baaeaa5c516b8eb0122aee5f52bb4a0579a4
Instruction ID: b1375a6c1af2e087fb2e78fa5986a827a088ccffb2ab507c6314d6b45f822738
Opcode Fuzzy Hash: c048583cbd41c83a608cdd884724baaeaa5c516b8eb0122aee5f52bb4a0579a4
Instruction Fuzzy Hash: EB21C231B00314BFDF15AB78945866E7BE6EF89214B1080BDD805DB351DF35AD01C795

Function 04C9FC29 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

@, xrefs: 04C9FC6A

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 13869b2fe80196bda5b40c1a154408a85bccf3e0512fec95af8e90d38285c445
Instruction ID: f159d9f2f7ee63febcace00dbe77ab1d4797a05289d650cefce54de05a1b4107
Opcode Fuzzy Hash: 13869b2fe80196bda5b40c1a154408a85bccf3e0512fec95af8e90d38285c445
Instruction Fuzzy Hash: 3A11C631B00204BBDF146AA8949427EBBF3EF88208F14807DD804DB340DF35AD15C791

Function 04C98158 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df048f7bac4e2588ee382be824297184c7fb303cb73a726f3dcc75aa1929ac2
Instruction ID: b2ab4578db50a972c38701c655ac127ce4b3bf112ab7981726eb1eeaf56322e3
Opcode Fuzzy Hash: 6df048f7bac4e2588ee382be824297184c7fb303cb73a726f3dcc75aa1929ac2
Instruction Fuzzy Hash: 95A18174A10655DFDF19DF68C888AAEBBF2BF46300F158169E8059B3A1C730ED42CB60

Function 04C9A820 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a78c0a2fa1a1ca8d7a3e6b52f5b8ac926725ca089e42271efae1668e0e5a9a
Instruction ID: f0a57b198671fac03885d17d5e7944e7bc66087f4453dd042f7efc3c5309d6a4
Opcode Fuzzy Hash: 27a78c0a2fa1a1ca8d7a3e6b52f5b8ac926725ca089e42271efae1668e0e5a9a
Instruction Fuzzy Hash: 0981D4347506109FCB04EF28D5989697BF6FF89B05B2581A9E502CB375DB71ED02CB90

Function 04C9BDA0 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8eb8291375cb3aed98b6e7bb41c257788e5164475c47bee11e3c77528d6542f
Instruction ID: 42912a756dafeac869afa389696cae747964d1404c8fb471eb0405760a81e914
Opcode Fuzzy Hash: f8eb8291375cb3aed98b6e7bb41c257788e5164475c47bee11e3c77528d6542f
Instruction Fuzzy Hash: 6A815A70E003599FDB14DFA9C8946EEBBF2BF89300F24856AD405AB391DB749942CB91

Function 04C9E6C0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1785e55b8e91e8c2143a992cbaeb244462bd526d7eabc9ae4f3a9be5b603da0
Instruction ID: 49de6c3584896ede8fcca03ce0beac3eebd73c7b2eeb05aba4a027d26235e745
Opcode Fuzzy Hash: a1785e55b8e91e8c2143a992cbaeb244462bd526d7eabc9ae4f3a9be5b603da0
Instruction Fuzzy Hash: 48817035A10208DFCF04EFA4D8589ADBBB6FF99304F158559E502AB364EB70AD45CF90

Function 04C9F990 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc46c1c05a49a0e3938825ed1f852b3d1db20affe3d942dbb9959663b0e15672
Instruction ID: b04a2efe2bc4ea829b057e1123bd3cf7d58b908781b955093471b4c18672e557
Opcode Fuzzy Hash: bc46c1c05a49a0e3938825ed1f852b3d1db20affe3d942dbb9959663b0e15672
Instruction Fuzzy Hash: 14812A31B00204AFDB14EF64D8986AEB7F2FB89324F1584BDD009EB261DB35AD45CB91

Function 04C9A2E0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462794f0831433189f068ba5f5370655e81d4b2cac344445edcfe024adda29f5
Instruction ID: 48fa1a374ee3372e5392b3d2316566dfc4e23afeb54c4c48ad1a835207ecd82e
Opcode Fuzzy Hash: 462794f0831433189f068ba5f5370655e81d4b2cac344445edcfe024adda29f5
Instruction Fuzzy Hash: 0D716B35A002588FEB04EF64C958AADB7F2FF89314F2444A9D405AB7A1CB36ED41CF61

Function 04C93A08 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac2b7fa1a27bc2c249215b1d928d4f2a7f51248f05e4150141665a9b83c8d34
Instruction ID: 89e69e47b13c8d57edcd615dd87dd617486690592262d9261cdba36083888c7e
Opcode Fuzzy Hash: 6ac2b7fa1a27bc2c249215b1d928d4f2a7f51248f05e4150141665a9b83c8d34
Instruction Fuzzy Hash: 87718C35B00258EFDF159F68D858AED7BF2AF8D710F144069E802AB3A1DB31AD41CB95

Function 04C93E60 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e691b92cca2bf339cc08d6be1e303ef0053f47f2564b099775bdea6483882031
Instruction ID: f938b0f9637cd1aabc305241e451404a88e1f0121214e30c41aa9329eb64214c
Opcode Fuzzy Hash: e691b92cca2bf339cc08d6be1e303ef0053f47f2564b099775bdea6483882031
Instruction Fuzzy Hash: C551BF71B04246EFDF28CF69C88866E7BF3AF89301B0540A9D805DB262EB31EC42C755

Function 04C9BAA4 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5710e44cd08bcd822db29348f863a70785b11a9a9ef22d303f5eee07063648b9
Instruction ID: dfd425042ffa19285680b3f99da07b64c624ed80b5b42a319503806d375c3e04
Opcode Fuzzy Hash: 5710e44cd08bcd822db29348f863a70785b11a9a9ef22d303f5eee07063648b9
Instruction Fuzzy Hash: D441BB70A01218FFDF14DFA5E8885EEBBF2FF84214F1180AAE445A7251DB34AD16CB90

Function 04C909DC Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a1e70748556afee47692f4cf0ef26619e77a84ccf7ef7cbb93d11b21e23e55
Instruction ID: c9eb1ca4f123389bf2f5fbc9aa1c04046f5d262bf1e83ae47fec27ac9072a422
Opcode Fuzzy Hash: 19a1e70748556afee47692f4cf0ef26619e77a84ccf7ef7cbb93d11b21e23e55
Instruction Fuzzy Hash: 3951D5B1A00245AFEF14DFA9C8447AFBBF6EFC5310F14486AD445A7280DB34AD41CBA1

Function 04C90C50 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4f96c1cd5ad47b2e4f77fbf0494aac240fa07aa85e7207337a99289a1f455e
Instruction ID: 430ef03f34a46ba7ebc7a5341d7dd70824630dc54061f652748143c57fecb186
Opcode Fuzzy Hash: 4c4f96c1cd5ad47b2e4f77fbf0494aac240fa07aa85e7207337a99289a1f455e
Instruction Fuzzy Hash: 3041BB71B002159FDB14EBB998489BEBBF7EFC43207588569E419DB390EB30AD028790

Function 04C9C0A8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47feb8db38a7abdd7ecd1e17ca2fce55adeada0a1d02dca8525767b7fe70ba8
Instruction ID: 709789c2a60fc05f2b9086f987f6758552f4cfc09686ddef984496a3bf1c3158
Opcode Fuzzy Hash: f47feb8db38a7abdd7ecd1e17ca2fce55adeada0a1d02dca8525767b7fe70ba8
Instruction Fuzzy Hash: 84514CB5E10245AFDF14DFA9D9086AFBBF6AFC8310F14842AD455E7250EB74AD01CBA0

Function 04C97CA8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5024a73376e6307bc879dda8facbc17c0bb6e8a6b950d47a79899c11579d0ff
Instruction ID: dd6701fa1903342d805553b8fa17ac175ad78542a51b059eb4facadc71e94530
Opcode Fuzzy Hash: d5024a73376e6307bc879dda8facbc17c0bb6e8a6b950d47a79899c11579d0ff
Instruction Fuzzy Hash: 67512C34A2221AEFCF24DF68D948AADBBF2FF49715F148169E445A7660D730ED40CB50

Function 04C9DFA8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5b55b8584790553849829729616bf71b7e0d53e61228e77b6150f648653150
Instruction ID: 0b5c99e4e3fcec25d467250296fab20cebe216b064e589b54d72ea5361ad7156
Opcode Fuzzy Hash: 5a5b55b8584790553849829729616bf71b7e0d53e61228e77b6150f648653150
Instruction Fuzzy Hash: A1416834B14158AFDB14DF6AC898AADBBF6BF89704F1440A9E501EB7A1DB31ED00DB50

Function 04C99D28 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b06fc7558dd54ef6003aa318ceaae20cdf2ba13ef966da75d6d3c91b85101a
Instruction ID: 09c1d0b4c3520673d0f73c3e1be976cf6035bc1027f7559c6a6486644e73577e
Opcode Fuzzy Hash: f4b06fc7558dd54ef6003aa318ceaae20cdf2ba13ef966da75d6d3c91b85101a
Instruction Fuzzy Hash: 3F41B4317007019BEB186BBA961432E72E7EFCAA45768487DD406CB784DF39EC428765

Function 04C9ABF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332895923f827040eaf2036ebdfc63b8cd149168ac9766ad3692653140e673e8
Instruction ID: ab5cd006fc819dd6ff476acf3c09a7f94197280152c51d431c3f199a6ab89bad
Opcode Fuzzy Hash: 332895923f827040eaf2036ebdfc63b8cd149168ac9766ad3692653140e673e8
Instruction Fuzzy Hash: 8E416235A40254DBEF14EF64D4583ED7AF3EB89315F244429C502BB240DB766D81CB95

Function 04C9419F Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f251940eb37f283bc5357b0c43baabbccf2e7a90c45065270915f1386a47d9
Instruction ID: 1ca8b6fcc66557beeb2c03f2ff6b22b2b66aedaf4c2fee94cea23daabc450629
Opcode Fuzzy Hash: a8f251940eb37f283bc5357b0c43baabbccf2e7a90c45065270915f1386a47d9
Instruction Fuzzy Hash: B5414A34700219AFDF199F64D848ABE77A7FFC8710F148029E80697294DB35ED92CB94

Function 04C99D00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e5f6880d97c6291e53ab9ffa3935e776d233e36e98ad57b2a638e8cde009a7
Instruction ID: a174723ca911961b30c7dab53a711380239df2bb4c293e58e1f0278116ab043a
Opcode Fuzzy Hash: f3e5f6880d97c6291e53ab9ffa3935e776d233e36e98ad57b2a638e8cde009a7
Instruction Fuzzy Hash: 7231E3723053409BEB25AB36C85466677E7AFC664970808ADC982CB391DB39FD01C761

Function 04C9B050 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043df98368ce1ab3abec8d019db3a9527fe7a0cb6dd60ad6840caf6a3c6b6422
Instruction ID: 6fb607b827eb9fa3d9e0f03e1ba0486789036ef1e14d97cf68bf9c98a5ae6c9d
Opcode Fuzzy Hash: 043df98368ce1ab3abec8d019db3a9527fe7a0cb6dd60ad6840caf6a3c6b6422
Instruction Fuzzy Hash: 74311775A00209EFDB05AFA4D8549DDBBF2EFC9314F144559E002AB3A0DF34AC41CB90

Function 04C9E381 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89941f6b43f554e3c560c9a1ae468c90f23cd8cb0dcc62c67725757f39933756
Instruction ID: 9033cea62e7f3cb8bf580b695f1c40a7249837aa3a63f2b9485dbe383f7ef26d
Opcode Fuzzy Hash: 89941f6b43f554e3c560c9a1ae468c90f23cd8cb0dcc62c67725757f39933756
Instruction Fuzzy Hash: 09418E30910609DFCF10EFA8D844ADDBBF1FF59314F108269E9517B290EB30AA98CB91

Function 04C91064 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259527ac3ce0f85c0589427b2c35e4f5d1e06bff7d7d0f384ebe7bd8082a4154
Instruction ID: fc2b9e8772ec08cbb387ced6bc53346a11e8dd48bee430b464bf81fef9fedc0e
Opcode Fuzzy Hash: 259527ac3ce0f85c0589427b2c35e4f5d1e06bff7d7d0f384ebe7bd8082a4154
Instruction Fuzzy Hash: BC41E4B1D013099BEF24DFA9C9856CEBBF6AF48704F24842AD408AB201D7756A46CF90

Function 04C91070 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5114f0b29c12cbc486ddca2e7a2d3dcbb30cc21a1996bbaa0b2ed601db861f
Instruction ID: 5620b85c49f6384ccfc907dc70e5309f1f69c3fce5005e72458b3c928d7258fa
Opcode Fuzzy Hash: 3a5114f0b29c12cbc486ddca2e7a2d3dcbb30cc21a1996bbaa0b2ed601db861f
Instruction Fuzzy Hash: F041C3B1D003099BEF24DFA9C984ACDBBF5AF48304F64842AD408AB215DB756A46CF90

Function 04C9BF28 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624cb266b67837e2ec842ef7fc1d5210bdc159637d7193a42f295012bea9ee14
Instruction ID: c42b829a509344bd642b31a5b2acca443580217824d3914777416eb3be460c71
Opcode Fuzzy Hash: 624cb266b67837e2ec842ef7fc1d5210bdc159637d7193a42f295012bea9ee14
Instruction Fuzzy Hash: F141A0B0D10359EFDB14CF9AC888ADEFBB5BF88710F20812AE418AB250D7756945CF91

Function 04C92110 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acee2e2983bee4f5d0a2264f04d7426a36b90c85f105c002bc4f899235cbf5f6
Instruction ID: bc0b6b79b678432c862fce959fb0fa3afa0373333fb406ad29e47ce5b1aa4478
Opcode Fuzzy Hash: acee2e2983bee4f5d0a2264f04d7426a36b90c85f105c002bc4f899235cbf5f6
Instruction Fuzzy Hash: E53106B4E05209EFDF05DFA9C9446AEBBF2EF49300F2084AAD944E3250E7349E51DB50

Function 04C93130 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a82042e08c5b503806ed27513f840782b33a35a4f141ef67c7f6fc2d50a73f
Instruction ID: eb358fed451b450ddb3a0f38b104d08756aeb04a13c45ad7da0eed06d4e6ac51
Opcode Fuzzy Hash: d1a82042e08c5b503806ed27513f840782b33a35a4f141ef67c7f6fc2d50a73f
Instruction Fuzzy Hash: C7213A74A04244BFFB045B708C057FE3BB6EB85700F1484AAE502DB2D1DA38AE46C791

Function 04C9ABE0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2aeb00077c5b20a58b7c55e776b6ee3e04de1afa2769d54dd2ad86e1c93c9c1
Instruction ID: b6c3eedac294cdf7da3240825a6cb979981d084a7aaaa89d5855ede6204b185d
Opcode Fuzzy Hash: f2aeb00077c5b20a58b7c55e776b6ee3e04de1afa2769d54dd2ad86e1c93c9c1
Instruction Fuzzy Hash: 9031D234A00295DFEF25AF74C4583AD7AE3AFC5214F244538C402AB390DB3B9D81CB95

Function 04C9A810 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04111f9322f1734920aa342fe61bce40647958cff11cff66f555dc24e3d43191
Instruction ID: 4eb1b318b551206cff1167d90726219cd14a8ae4ce62a10633c27c2ad92c5e93
Opcode Fuzzy Hash: 04111f9322f1734920aa342fe61bce40647958cff11cff66f555dc24e3d43191
Instruction Fuzzy Hash: 21319E357106409FCB15DF28C4989AD7BF6AF89A14B1541AAE502CB3B1DF71ED02CB90

Function 04C909C0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4615d890fd03645b28b1ab786aeba3887f1b02c24bcb788e6a5d501b4f148d
Instruction ID: 352c3da4cbd28f144293299323ee6e4ab3d427813196ab76fcc1a1ed493444cb
Opcode Fuzzy Hash: 9f4615d890fd03645b28b1ab786aeba3887f1b02c24bcb788e6a5d501b4f148d
Instruction Fuzzy Hash: 1F314E75E01209EFDF09CFA5D8449AEBBB2EF85311F0184AAE905A7260DB319D15CF50

Function 04C93140 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed5f9bc48e078659eb7c88dfb86d02becf39c02ea8234693a0da642fe09d5b3
Instruction ID: ffe48b38f3352215e52185150f77e89f84cbae1e19697f1da65c42d74c96a855
Opcode Fuzzy Hash: 0ed5f9bc48e078659eb7c88dfb86d02becf39c02ea8234693a0da642fe09d5b3
Instruction Fuzzy Hash: AE212974A04244BFFB445B708C067FE7BB6EB85700F54846AE502DB2E1DB38AE42C791

Function 04C90F59 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5354409c10316bfb2814835720028302a5c50707aff1885580af39b13652f652
Instruction ID: b433ec6665027c0caba15b4ca0e78a870d2f1667be14fb03c4dc6bec4ec8eb31
Opcode Fuzzy Hash: 5354409c10316bfb2814835720028302a5c50707aff1885580af39b13652f652
Instruction Fuzzy Hash: DC3135716043818FDB12EB38D8446AABFE3AF85314F1988ADD045DB391EB71EC05CB91

Function 04C9C098 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fedd454a28e3846e205961d6611f754ea066331338792714b9e71e303510abb
Instruction ID: ed12e28ddbe1edfffa2f0fd5ac7e1c6f82d8066a7fa4027303cac84246245c28
Opcode Fuzzy Hash: 0fedd454a28e3846e205961d6611f754ea066331338792714b9e71e303510abb
Instruction Fuzzy Hash: DE2160B1A001457FEF11EFA99C549FFBBFAAFC4604B10816AE554E3251EB70AE1187A0

Function 04C98F81 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f8931271ebbe547213c0b9917e91376cf9ea12c22633f4a53679c1defdf2be
Instruction ID: 819f4b6bfefb56d20cbeeff89aaf27030a7104d9721d686e6239d75917079062
Opcode Fuzzy Hash: 80f8931271ebbe547213c0b9917e91376cf9ea12c22633f4a53679c1defdf2be
Instruction Fuzzy Hash: 9E214BB77002009FEF248E25C8C55BE77E3EBD8310B188069D14683750D634FE81C751

Function 04C98F90 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198f05ee86b636175d8b379dfa8fa3a94f1ba4ee331b3964a447f573055dfd66
Instruction ID: c55d2269870f4e25704d00f483b621b949a1c5b54c2d93f4ffef1703aa775771
Opcode Fuzzy Hash: 198f05ee86b636175d8b379dfa8fa3a94f1ba4ee331b3964a447f573055dfd66
Instruction Fuzzy Hash: 53212676700210AFEF24CA69C88557E77E7EBC8311F28842DD15693754C638FE80C761

Function 00B1D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1653590917.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b1d000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8576315297c4c4fc6906d85f9a415043326bafb323cf9f910931b95a43787b4c
Instruction ID: 69a554bbb493b07d67fb3eb672f478631279cb868b3adfb12acf22245e44af77
Opcode Fuzzy Hash: 8576315297c4c4fc6906d85f9a415043326bafb323cf9f910931b95a43787b4c
Instruction Fuzzy Hash: 29213A71504304DFDB04DF10D9C0B56BBE5FB98314F60C5A9E8090B356C336E896CBA2

Function 00B1D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1653590917.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b1d000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d940f83e06a85271a108d4f4ef9863471cf925d2a4406c3d3edca30559e747d
Instruction ID: fa18cd2a1529cea33edeb2d1c86087d1aa4c763b5b389a09ad12f9879902ed65
Opcode Fuzzy Hash: 5d940f83e06a85271a108d4f4ef9863471cf925d2a4406c3d3edca30559e747d
Instruction Fuzzy Hash: BD21F571504240EFDB15DF14D9C0B66BFE6FBA8318F64C5A9E8090B256C336D896CBA2

Function 00B2D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1653639020.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b2d000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c211b35814032197de5e6a24553244835ac06e6dc192fdf769f824dd86c95398
Instruction ID: 78560fa748e4c0e1c3b989b1b64ae0dac2a00206ac104fa2884a827e4fbadcfe
Opcode Fuzzy Hash: c211b35814032197de5e6a24553244835ac06e6dc192fdf769f824dd86c95398
Instruction Fuzzy Hash: 3B21F271604200EFDB05DF10E9C0B26BBE5FB88314F20C9ADE84D4B292C336D846CA61

Function 00B2D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1653639020.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b2d000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76669e76497393787bd1a27bfd5c816dd49b264f4846d4e0d11837fc5082478f
Instruction ID: eb0d8c6cb2e063e922bb9b10edb2460b45c674984d19062069cad1ea6265b985
Opcode Fuzzy Hash: 76669e76497393787bd1a27bfd5c816dd49b264f4846d4e0d11837fc5082478f
Instruction Fuzzy Hash: D421D371504240DFDB14DF10E5D4B17BBE5FB84314F20C5A9E84D4B2A6C336D847CA62

Function 04C90DF5 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9850f542846accc747a7f08a6ebceb9632acb17e61821a2b8916d0aca9fcdf23
Instruction ID: 8f2a280516a8d9cf0655f4c8e962641dfdbb289dc147b66ab188fdcb983c844d
Opcode Fuzzy Hash: 9850f542846accc747a7f08a6ebceb9632acb17e61821a2b8916d0aca9fcdf23
Instruction Fuzzy Hash: 2D31E3B0C01259EFEB20CF9AC588B8EBFF1AB48314F24851AE444BB290C7756945CF55

Function 04C9EF40 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ceffcb41c1dbccb40cc5a429adc212cec4f645d322582dc8f299835efcf154
Instruction ID: c561cbd89f40e5404cf15d6a338f212fb7f20e1bcacd9b3c88451a3a1b56576a
Opcode Fuzzy Hash: 76ceffcb41c1dbccb40cc5a429adc212cec4f645d322582dc8f299835efcf154
Instruction Fuzzy Hash: 8211B4717046009FD711EF38D848E6EBBEAEF8962471545AEE445DB3A0DB30EC01C750

Function 04C9F478 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08152bcb3b06b9ce10252c45a7aaa4fff4f02353afdebdc4ace97604d3fb6832
Instruction ID: c48d99eb5db95e53b19f83e2f9d784831f5fc5813d800af742436f33eea5ad0b
Opcode Fuzzy Hash: 08152bcb3b06b9ce10252c45a7aaa4fff4f02353afdebdc4ace97604d3fb6832
Instruction Fuzzy Hash: 57216D36900209DBDF14AF68D4186EEBBF2EF88310F14C529D906B7394DB75AD45CB90

Function 04C90E00 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98f4197ab788f1ef58e5c2ef06e05637d3ec316b7690e84828101ab63594abe
Instruction ID: 5367858e5115b553ab6ed522e9fc94271701cd79fff4ed9c1cf584b85df53b29
Opcode Fuzzy Hash: e98f4197ab788f1ef58e5c2ef06e05637d3ec316b7690e84828101ab63594abe
Instruction Fuzzy Hash: 2621B0B0D01319EFEB20DF9AC589BCEBBF5AB48714F24805AE444BB240C7B56945CFA5

Function 00B2D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1653639020.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b2d000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65699edbd8c062e209b4973a6deea0caa0bd48b351d285c635376d8b94ce4e9e
Instruction ID: d88cb2577033c6cebce711d86c61813f7fc9a08deb9815f04cc8a60c2290d77d
Opcode Fuzzy Hash: 65699edbd8c062e209b4973a6deea0caa0bd48b351d285c635376d8b94ce4e9e
Instruction Fuzzy Hash: CD2184755083809FCB12CF14D994B16BFB1FB46314F28C5DAD8498F6A7C33A985ACB62

Function 04C9EF50 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29541bca97aa503e55831e39e6533f0433da469b74d734863891991a90fcc6a0
Instruction ID: ddb6c7f66589aa7dc9d51888ed8fd9cb3bedd313c392a7289449a7fc753dede2
Opcode Fuzzy Hash: 29541bca97aa503e55831e39e6533f0433da469b74d734863891991a90fcc6a0
Instruction Fuzzy Hash: 36118F713006109FD704EF28D848A6EB7EAEF89624B1545AAE406D7360EF30ED418BA0

Function 04C90C41 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0e2a57e5e861a7230bdd974a83a02b914392c16ee246ed7f542eb59119ed4b
Instruction ID: d995653f47dbe63aed7647309c32f0da95212dd4472d54d5b138029e25b7cfc9
Opcode Fuzzy Hash: 6a0e2a57e5e861a7230bdd974a83a02b914392c16ee246ed7f542eb59119ed4b
Instruction Fuzzy Hash: A111E0B2E042058F9B11EE7998845BFBBF7EBC9224718492DE418D3340EB30AE028361

Function 04C92250 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64fcab5ddd7f77c809731a23c4156e1f2eb32397fcfa7736ef6482aee45f691
Instruction ID: d59c0990ef4dada1a8c17fe0e12afc660a2cd3daffc7fc78c33961b9566c9120
Opcode Fuzzy Hash: d64fcab5ddd7f77c809731a23c4156e1f2eb32397fcfa7736ef6482aee45f691
Instruction Fuzzy Hash: 58210875E01219EFCF09CFA5E8449DEBBB2FF89311F01806AE915A7260CB755956CF80

Function 04C990D1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbad7ee14e01200fe467117a0807bf913c6abb4e1d90445b73cb056720318a98
Instruction ID: 4e4b3bdace8466503034c6136f7704bc3ff1419c6b24f63685005706225bd7fe
Opcode Fuzzy Hash: cbad7ee14e01200fe467117a0807bf913c6abb4e1d90445b73cb056720318a98
Instruction Fuzzy Hash: 4C1196B5E0021A9F8B44DFADC9459AEBBF5FF88310B10816AE919E7315E7309911CBA1

Function 04C92260 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4f09ec942f77be32b1c5923eb440ab2342480bb681c04084aa19b14f30f750
Instruction ID: 41317003cdd69bbaabd66b36efbe98952995ad9fce84253559cf7f7d3f3ffe26
Opcode Fuzzy Hash: 4d4f09ec942f77be32b1c5923eb440ab2342480bb681c04084aa19b14f30f750
Instruction Fuzzy Hash: 5811F635D00219EFCF09CFA5E8449DEBBB2FF89311F01806AE915A7260DB71A956CF90

Function 00B1D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1653590917.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b1d000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 1293ea03cac48d826f3fad1bb3fe0a8be94306dc9b73096b3d360a8848be460b
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 2D11D376504280CFCB15CF10D5C4B56BFB2FB94318F24C6A9D8490B656C336D89ACBA1

Function 00B1D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1653590917.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b1d000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 1c77e3b3cc0f13fc56abded97a36c8c24c0ac9b13ff05411dbec732622e2269c
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: F811D376504240DFCB15CF10D5C4B56BFB1FB94324F24C6A9D8090B756C33AE89ACBA1

Function 04C925F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63ee5bbed7055ecd4601bc494d75e473191a2058a4767a43902cf39cacd0124
Instruction ID: 8443d6752872dee8730afd650e4d5a88275b74aa7e69d19d52b4806a7c17adf4
Opcode Fuzzy Hash: a63ee5bbed7055ecd4601bc494d75e473191a2058a4767a43902cf39cacd0124
Instruction Fuzzy Hash: 0A11EF74C00209EFCB05DFA5C948AADBFF1FF0A301F1484AAE605A7261D735AA50EF90

Function 04C90A24 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa61d2d35555fbcab85a4ff2745c9a44244193ec32aa763cc8a59c8ab800d4a2
Instruction ID: 1698b46f91084b2032a3b1077de19222a664a175789f0dc339eb8974bbda8f18
Opcode Fuzzy Hash: aa61d2d35555fbcab85a4ff2745c9a44244193ec32aa763cc8a59c8ab800d4a2
Instruction Fuzzy Hash: D811C2B5900348AFDB10DF9AC484ADEBBF8FB48314F10841AE959A7200D374AA44CFA5

Function 00B2D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1653639020.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b2d000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: 56f2c1ab0922458f41e393f223bb6355cb0fc0b4a7ffd792aa0123f45a3d768e
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 4A118B75504280DFDB15CF10D5C4B15BBA1FB84318F24C6A9D8494B696C33AD84ACB61

Function 04C990E0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dab554bf667db409b9aeb7d4054e4b41c8e1ffc35e8f9973bff1e6bbe95ed04
Instruction ID: e8b1e08bb9ce3b2e31b853172f096da0e725ea08bcff89949930254da617e783
Opcode Fuzzy Hash: 9dab554bf667db409b9aeb7d4054e4b41c8e1ffc35e8f9973bff1e6bbe95ed04
Instruction Fuzzy Hash: E71189B5E0011A9F8B44DFADC9449AEBBF5FF88310B10816AE919E7315E7309911CBA0

Function 04C9C3B8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efbfdccac895052e99ae5dd558f8278e5b205eba9b613ef46933e7b1704ad72
Instruction ID: cb1a1b8d53241a751fc4bef3ac4ddb92cbd6d7fe266bdf97020383996e11a203
Opcode Fuzzy Hash: 1efbfdccac895052e99ae5dd558f8278e5b205eba9b613ef46933e7b1704ad72
Instruction Fuzzy Hash: F111F3B1D002489FDB10DF9AD444BDEFBF4EB98220F10841AD469A7310D774AA45CFA1

Function 04C9237B Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4126806228419ef7b6e7e011c34637bf0c4ecee3ee2fbd007adc2d0a87a5213d
Instruction ID: 1a21b4724177e5be9cc1ed15e2cb22e34b0e272ad572791b94c0bd0123165c99
Opcode Fuzzy Hash: 4126806228419ef7b6e7e011c34637bf0c4ecee3ee2fbd007adc2d0a87a5213d
Instruction Fuzzy Hash: 2601F571B006567B9F10EA699C445AFBBFAEFC4210B14487AD955D3241DB30AE0683A2

Function 04C9B9E0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf494e1f3990622761b5e4b92998a0d001e011dad3901160a6a1c1d5a905c00
Instruction ID: 8dd0abdcb517a17923d5eeef6747aea66ac25283326fa7e2379d90f9851176aa
Opcode Fuzzy Hash: 2bf494e1f3990622761b5e4b92998a0d001e011dad3901160a6a1c1d5a905c00
Instruction Fuzzy Hash: B11107B1D046489FDB10DF9AD444BDEFBF5EB88310F14841AD858A7310D374A904CFA5

Function 04C9BB34 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4650106f8f6d22f8025eacc7ba95de1b4cd991b159b4b7a2545c9ec02b1c8c
Instruction ID: 05cdb78cd7e772757149d12e47a0b14cf071ab0f41ce4c05eada6fc57fa40aa1
Opcode Fuzzy Hash: fb4650106f8f6d22f8025eacc7ba95de1b4cd991b159b4b7a2545c9ec02b1c8c
Instruction Fuzzy Hash: 251104B1D046489FDB20DF9AD448BDEFBF9EB88320F14841AE858A7310D774A904CFA5

Function 04C92300 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17483776d6bf0c6fb4d6698d4110416f91907ffc207ee8e7c884fb819786085f
Instruction ID: 0fce9b6fc287379b101ae5afc5495832003a329d1b6a9662975a4e803e22a6d7
Opcode Fuzzy Hash: 17483776d6bf0c6fb4d6698d4110416f91907ffc207ee8e7c884fb819786085f
Instruction Fuzzy Hash: F101A732905219EFDF05DFA4D8049DEBBB6BF87321F055425E9443B250C7716549CB91

Function 04C9AC7A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e38e543836ccaf6c74e917cb64c0a8e16ed8ddf1f08cdd990d11a9b10c7a463
Instruction ID: 59ae4c3a7d7d4b4a1047812c1d92232d0f27e6d52b5ea532247db15a1c42bd1b
Opcode Fuzzy Hash: 3e38e543836ccaf6c74e917cb64c0a8e16ed8ddf1f08cdd990d11a9b10c7a463
Instruction Fuzzy Hash: 9C118235A00249DFEF18EF65D4583BD76F3EB84305F244469C001AA280DB7A5D80CBA5

Function 04C91651 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8f0b384f87328134191ac19f51769997ba0a86e3caffec9a27d9d0d0961346
Instruction ID: 0e9f41cf9fedf14ae3508deed713e2fd10fd8ceae87ccbd4dcebac56cfbb077f
Opcode Fuzzy Hash: cc8f0b384f87328134191ac19f51769997ba0a86e3caffec9a27d9d0d0961346
Instruction Fuzzy Hash: DF1125B58003498FDB20DFA9D444BDEBFF5EB88320F24851AD558A7350C774AA44CFA5

Function 04C9CF48 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9101c6e4c5cc0d33c9d8c7249854d52a8e550ea56e3f4fe8c15e4ce490574ae
Instruction ID: f0c49192df7abb74868be1218b4099581c091bce38de69788f25e3c587af28e4
Opcode Fuzzy Hash: b9101c6e4c5cc0d33c9d8c7249854d52a8e550ea56e3f4fe8c15e4ce490574ae
Instruction Fuzzy Hash: C201F971F083546FDB05DBB8A8146AD7FEA9F85120F0480AAD449C7381EA759D414791

Function 04C91658 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a689bf74c82b55efbec5758f7f0f864ee89c3e7d1ddff6092788d2e7d0719ea9
Instruction ID: fe3daa60a7b3a5cb6a474d1988f11fdcda04cceadadae86d80d975e7a399298d
Opcode Fuzzy Hash: a689bf74c82b55efbec5758f7f0f864ee89c3e7d1ddff6092788d2e7d0719ea9
Instruction Fuzzy Hash: F11103B58003498FDB20DF9AD445BDEFBF4EB48320F14841AD518A7340C774AA44CFA5

Function 04C9C8F3 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee1a5d0a5c1d23736ad9741cf610cdd3ddb50f50d2d680725abc5603e409c3b
Instruction ID: e430398e4152b6bd9758929c14b150ecb78e4e00d9fa34ed226c354f6a7175cc
Opcode Fuzzy Hash: 3ee1a5d0a5c1d23736ad9741cf610cdd3ddb50f50d2d680725abc5603e409c3b
Instruction Fuzzy Hash: 7A01D675B00150BFEF16E6A868545BE7FB7BFC5214B10017DE104A73A1DE202E12D395

Function 04C925E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29c403926d363fe4a86ee0026928b1d3158cecd9cd1e2c765fb51d57aef6689
Instruction ID: 4f103a6dde8735cd07bd35cae0af2a92f7ddf43ad46ffb64d9c1f9a43eb04ffa
Opcode Fuzzy Hash: c29c403926d363fe4a86ee0026928b1d3158cecd9cd1e2c765fb51d57aef6689
Instruction Fuzzy Hash: 37018870804248EFDB05DFA4D808BADBFF1EF1A300F0554E9D144AB2A2D7755A50EF90

Function 04C9CB28 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064d76beabf33848a2d146f3d303e572bf7410007b99a33ad86ace7771d3bc05
Instruction ID: 2fde252b03079cd77e8946bde46b175b3fbc052c9ce0c44f9a68d25f295551b6
Opcode Fuzzy Hash: 064d76beabf33848a2d146f3d303e572bf7410007b99a33ad86ace7771d3bc05
Instruction Fuzzy Hash: FAF0C861B053946FEB05DB749C5879E7FE69FC6550F5584BDC404C7281EA346D018361

Function 04C92310 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082595e08660cc610cdff7af9e9d9194b846ee3f65251a455c7b2778afcdfc52
Instruction ID: f94446221742253eb3e9b74d4fa839177944b3dddc3c915781e0d45750d0c4cc
Opcode Fuzzy Hash: 082595e08660cc610cdff7af9e9d9194b846ee3f65251a455c7b2778afcdfc52
Instruction Fuzzy Hash: 80F08132900219EBCF05DE95D8049DEBBBABF8A321F004425E9043B210C7716949CB90

Function 04C9DF99 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fa8630ba28d3231e5882d3c8a9bcc81ecd42e233664baeddb8f8b8953e3477
Instruction ID: 090d462711dc70e4ee703b7e573a5fc2857198be1f4cdfa709ef5b53521c46ee
Opcode Fuzzy Hash: 35fa8630ba28d3231e5882d3c8a9bcc81ecd42e233664baeddb8f8b8953e3477
Instruction Fuzzy Hash: 3C01D230908298EFCB14DF69C884DDEBFF1AF5A210F0401A9E491E73A1C731E800CB50

Function 04C9F3E8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2972ccce418ff04c10ae7b2b22ddcaa37f3e0215a56b703d03fbe3c7176eb832
Instruction ID: ac83b8fde3b8479a3a84fd64aeba43124ba8ca7bc4b920af75ef1f063d125e2d
Opcode Fuzzy Hash: 2972ccce418ff04c10ae7b2b22ddcaa37f3e0215a56b703d03fbe3c7176eb832
Instruction Fuzzy Hash: 2C01DF31910B499BDB117F3CDC00599BBB4EF93321F16832AE9C167290EB30E9A0C791

Function 04C99069 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c609d4b46af08b8c1536ef9f9d6d097f9abc37af62dfa473c73019dca9000e0d
Instruction ID: dd614079897f67d0360e2b2f6311dbb879116b599b64a17e3f1f8ce2fdab39b0
Opcode Fuzzy Hash: c609d4b46af08b8c1536ef9f9d6d097f9abc37af62dfa473c73019dca9000e0d
Instruction Fuzzy Hash: C5F0C871A106049FC711EF6DD844C8EBBB8EF86210740416AE5459B361D630AD06CBB2

Function 04C9F3F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7899cbabf68cb0386b46ef246f984ae54c3cc18a70105bf0158753454411079
Instruction ID: b4a99ed7962e82c96b8218845f2fab88fabcb674087e007a937f7b30dd644560
Opcode Fuzzy Hash: e7899cbabf68cb0386b46ef246f984ae54c3cc18a70105bf0158753454411079
Instruction Fuzzy Hash: D3F06231910A099BDB10BF7CDC1449DBBB4FF96321B51832EE98567250EB30D5A4C791

Function 04C9A4E9 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f346f8fca9b9874f325882960b86d39797b68e98bb67d0258deb5521512de04f
Instruction ID: cab24181198494d0fe8b4f2d98d7e96cf0f58a90b531cf0840ca6cad7ffc1181
Opcode Fuzzy Hash: f346f8fca9b9874f325882960b86d39797b68e98bb67d0258deb5521512de04f
Instruction Fuzzy Hash: 00F03735B101188FCB01EB98D458ADCB3F2FF88724B158096D505B7320CB31AE45CB90

Function 04C93E4F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7dea8c926cf134fd66f3b0f93cf22d2b109ba0d5d1a2aa386146f7f065e9b4
Instruction ID: 8dad8c300a4ed27bb33b1deb7c68f6f370a8564b59b298fff847179c8de3fb50
Opcode Fuzzy Hash: 2c7dea8c926cf134fd66f3b0f93cf22d2b109ba0d5d1a2aa386146f7f065e9b4
Instruction Fuzzy Hash: E3F0AB31B042C0EFDF1156B5BC4C7A67FA0CB16260F0400BADE00C7522C7304C19C321

Function 04C9ACD5 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90744952de789df822e920057727803a61fd5701a55560b5773c8e51dbd03e55
Instruction ID: 8f8aa4bac105b6008f792ca3a4fa63ccf022c75bb9f9d18e7a7f2d16999b4026
Opcode Fuzzy Hash: 90744952de789df822e920057727803a61fd5701a55560b5773c8e51dbd03e55
Instruction Fuzzy Hash: 2DF01D71A00249DFEB18AF65D4187AD7AE2AB84705F148469D002AA280DBBA9D848FA1

Function 04C9F3A8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5d83d88065de422171a744350ea3d03f5d44903325812ec193f1d332b6975a
Instruction ID: 5051e36c3062c6470efeb519cf9a32c0b40121f4826a3a6ef90f37163eb8e34d
Opcode Fuzzy Hash: 7c5d83d88065de422171a744350ea3d03f5d44903325812ec193f1d332b6975a
Instruction Fuzzy Hash: 50F06D75804289AFDB01DF68D800AA9BFB4EB01310F118596E884D72A2D7309A649BB1

Function 04C9E338 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7c6b03323ee1a1cbb050ee64141f70cd3c9e2bc0fc90d9e61b59495f831c1e
Instruction ID: f698559b24db6dd8db6efae9148371a44fe839577fa13c48098114e5b5e7f3c6
Opcode Fuzzy Hash: 9d7c6b03323ee1a1cbb050ee64141f70cd3c9e2bc0fc90d9e61b59495f831c1e
Instruction Fuzzy Hash: DBF06D30818748AECB41FF39D4046997FE4AB27261F01C17AE48CCB192EB30E694CB91

Function 04C90F01 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59527d427c7597063d3161ef49618a0309e3754077a59206a585cf9bd432e15c
Instruction ID: b967776c8b0eebe2098d4949128bbcff9c239a4be871da3b7dcefff999f32f65
Opcode Fuzzy Hash: 59527d427c7597063d3161ef49618a0309e3754077a59206a585cf9bd432e15c
Instruction Fuzzy Hash: 51F0E574905288EFC702DF64E900BA83FF2EB56300F2581D8C44497392DB361E01CB21

Function 04C9E281 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bbac81dfadc65db0775635c6e687988ca491562ba51090087cf6977f7c3176d
Instruction ID: 433b54983f26f99b7a508b9179b4d70c2a8a41e1cb0a5c5a3535ca131c1a3402
Opcode Fuzzy Hash: 7bbac81dfadc65db0775635c6e687988ca491562ba51090087cf6977f7c3176d
Instruction Fuzzy Hash: 02E0CD0171CB5226EA173278A41437D76CB4FD7564F4A01FAD4865F3D2DE086D1203DA

Function 04C9DED0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17fc014b4fdf5ba8fb3155d6177ab336dcc267a0ed84341aa8373880e70102e
Instruction ID: 5ba4cbca2098412def9fb48c3a1e3039abeddde03cc5a1bf7caddccbd0921f2c
Opcode Fuzzy Hash: e17fc014b4fdf5ba8fb3155d6177ab336dcc267a0ed84341aa8373880e70102e
Instruction Fuzzy Hash: 65E02632604660EBD7125B389808B6A7BCD9B26311F054076E186C7192DB248D00C3F1

Function 04C9B3F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eaf27132ff8be3a6431d0c34bc0a47ea42eea2103cfe088509d8dcfdd27e1de
Instruction ID: e9ea72f146f01eaf6397333c8d19c6ca858ffb37c1d61c1fedfd1c67aba68383
Opcode Fuzzy Hash: 5eaf27132ff8be3a6431d0c34bc0a47ea42eea2103cfe088509d8dcfdd27e1de
Instruction Fuzzy Hash: 16E020363041449FDB076FA4E400AD53FF5DF56354F058096E6458B393DA259D41C791

Function 04C9DE98 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7ac3f6d2642ed8b86571e85a5a70ef9c539d808c2a4b9802528264e77fbce3
Instruction ID: 64fa83fa14ee56a99616bb04ee644f77cc572db0426a67f2ed368f2938760e5c
Opcode Fuzzy Hash: dc7ac3f6d2642ed8b86571e85a5a70ef9c539d808c2a4b9802528264e77fbce3
Instruction Fuzzy Hash: 99E086312081505FC301562CD410A9A3F98CF56624B0201DAE5818B372CA659C01C3D2

Function 04C90F10 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd85df8a5bae3f0e2da04fe4603e8d26f6f47755bb0d5fa4330f6073fc0f84e
Instruction ID: d606b035b144ff745e1841a4b382c33e523b372602fe0f427f66007a01786650
Opcode Fuzzy Hash: bcd85df8a5bae3f0e2da04fe4603e8d26f6f47755bb0d5fa4330f6073fc0f84e
Instruction Fuzzy Hash: 93E04F34A0110CEFCB00EFA4E940AAC77F9FB45714720C198D80593284EB326F009B51

Function 04C9F3B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756374ae75c1ef4b32587405f986752ebcf8668512ddb13f47a3fb9d7a14a428
Instruction ID: 9d61931411fbf8886622254e932b45c4f44a59c9e5d70eb44c3b588b7ac9d4de
Opcode Fuzzy Hash: 756374ae75c1ef4b32587405f986752ebcf8668512ddb13f47a3fb9d7a14a428
Instruction Fuzzy Hash: F4E0EC3180010DAFCB00DFA4D8449ADBBB5EB44201F508596EC04D3251E3319B649BA1

Function 04C9E301 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9928645cbaf870f6dcf0f1cc1b940e3d9820fa4e4ddc796e52f5d457d7880d5c
Instruction ID: e4a7de242dfeb8facd3dffa9b06e9abf5091309d3b235bfe0904c0070e777ab3
Opcode Fuzzy Hash: 9928645cbaf870f6dcf0f1cc1b940e3d9820fa4e4ddc796e52f5d457d7880d5c
Instruction Fuzzy Hash: 8CE08630518B448FE301AF3CD8446547BA4EF57204F4602E5E1859B2B6EB11E8118751

Function 04C9E290 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a919583bd099d8ea90743cc3df315388c768241285b0336243dc7950e2001257
Instruction ID: 943ffabfed00c2a279578c213edbe5ad5f478049ec3318c81a922413b254b96c
Opcode Fuzzy Hash: a919583bd099d8ea90743cc3df315388c768241285b0336243dc7950e2001257
Instruction Fuzzy Hash: F8C01212358E35236C1D3158A42517D628F8BC5918B48007AD40B5B7C0DD4D3E6312DE

Function 04C9E348 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4834691c4e2c840a7ce880ce7551b61aba5f4eeddd9e1fe4d076c51e19577d4
Instruction ID: 10e6489b059aa67d48cd64a517f444b8ba417704601da8a13bc6a883d711ff5b
Opcode Fuzzy Hash: a4834691c4e2c840a7ce880ce7551b61aba5f4eeddd9e1fe4d076c51e19577d4
Instruction Fuzzy Hash: 9BE0E23181460CEFCB90EF79D5084AE7BE8FB25221F00C52AE80D9A140EB30E698CF90

Function 04C98F58 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667267e4b0f453c590d8e0265852264b6d30fdb52d93e6c429ace9999eddac7e
Instruction ID: bbba45c88b6cb3514c277f30f0a0103e5ce75b734fe520016b6aa67454db57f7
Opcode Fuzzy Hash: 667267e4b0f453c590d8e0265852264b6d30fdb52d93e6c429ace9999eddac7e
Instruction Fuzzy Hash: 1BD05E39208244AFD7029F28D844F987FA5EB26365F0680A5F9588F323D371E812CBA1

Function 04C9DEE0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5203ed17f91ec0673ed1ef5416e392eaa3c6031e822f78b6e94fd4833c5d2378
Instruction ID: b84b839be733cb4f732c4ab4ef4141cf5fa76e9acd0ce5002df2565fb092b45c
Opcode Fuzzy Hash: 5203ed17f91ec0673ed1ef5416e392eaa3c6031e822f78b6e94fd4833c5d2378
Instruction Fuzzy Hash: EED0C932700224A7CB152F69E50DBAEB69EDB44756F048026E60A97185CB799E40C6F5

Function 04C9DEA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf74ae9a54db365384790be173c53c9b1155dd07ca8826d5d1fc8b9d1ad263ca
Instruction ID: 64b8d16495d82bdd30ca65fd809e144ff689b13a64fd8145a586985a1a62e61a
Opcode Fuzzy Hash: cf74ae9a54db365384790be173c53c9b1155dd07ca8826d5d1fc8b9d1ad263ca
Instruction Fuzzy Hash: 05D0C9323441249F8604AA6CD410CAA7BA9DB5966530140A6F905CB331CA62EC5187D4

Function 04C9ABB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7b7a3799b1dc7c41124fafb75a0a5b2c21a07f46db3d21c028fd676d53ac9b
Instruction ID: 941290eb0f9094a2d505e413e172a8cf977317a8a4a7810fe70088b2a84bcd11
Opcode Fuzzy Hash: ae7b7a3799b1dc7c41124fafb75a0a5b2c21a07f46db3d21c028fd676d53ac9b
Instruction Fuzzy Hash: 9DD05EBC4852C28FFF12DB2CE9147203B59B783718F026296D040CB296C36C188ACB72

Function 04C9AD48 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdf5f66b6758b8cb75922d484deba9196d19a6800dfcb3572434cddf0b404d4
Instruction ID: 0d9303cc8c017bb8d81b5848fedd7e41dd18abb6fe770b094a2a2325372d9f78
Opcode Fuzzy Hash: 3bdf5f66b6758b8cb75922d484deba9196d19a6800dfcb3572434cddf0b404d4
Instruction Fuzzy Hash: 69E01779A40209DFCB04DFA4D098AADBFF1EF0C711F24841AD002E7260CBB56804CF50

Function 04C9E310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9fe81c49758421ecf5dce11c80316ade52eff8d8e4a04c29d2cf401457b857e
Instruction ID: 9d38337436dd69fb47b16aa30e44c4829414739559a76fa20b1c37d477d5e9f5
Opcode Fuzzy Hash: a9fe81c49758421ecf5dce11c80316ade52eff8d8e4a04c29d2cf401457b857e
Instruction Fuzzy Hash: 81D01231550B04CFC300FF6CD945864B7B4FF45704B450195E2059B335FB21F8548B41

Function 04C98F2E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d3f55db8b6fa004ec10f8f8c398da187d975065167a29c9e41e41595c4559b
Instruction ID: e087cecc5733a59755f1eef844f39e50023f4e42ff68b40bf2fe008f29442970
Opcode Fuzzy Hash: 48d3f55db8b6fa004ec10f8f8c398da187d975065167a29c9e41e41595c4559b
Instruction Fuzzy Hash: 17D0A7164097505EE301FB34541044CBB707923110B454757C090861E1E620A55DD7A2

Function 04C98F68 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1656837707.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4c90000_DpmrYeeDGcj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Analysis Process: vbc.exePID: 5624, Parent PID: 4136COMMON

Executed Functions

Function 00CE0EB8 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

d.t, xrefs: 00CE0F05

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID: d.t
API String ID: 0-955178627
Opcode ID: 162da3dd0f7827d9830d70ddc616cb18404a7279cbdf87ae6c38bf41859202ee
Instruction ID: 3993922767e0bc84b486ff011ada28543108c4684d79383a54669e573768ec71
Opcode Fuzzy Hash: 162da3dd0f7827d9830d70ddc616cb18404a7279cbdf87ae6c38bf41859202ee
Instruction Fuzzy Hash: 74518D30B101548FDB58DF69C458B5DBBF2FF89700F6581A9E806EB3A5CA75DD018B80

Function 00CE0D20 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746b7049978827fc2cf96814a8b0126a9e83527f564e6f0f89071b79d0489976
Instruction ID: 2ba966f6c19332b4e7f487fc9cb49838110574fd362345fd36aecb038cac6cd9
Opcode Fuzzy Hash: 746b7049978827fc2cf96814a8b0126a9e83527f564e6f0f89071b79d0489976
Instruction Fuzzy Hash: B141C031B042448FDB19DF69D854BAEBBF6AF89300F2484A9E405DB3A1CB759D45CB90

Function 00CE0AA0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd3798fb176b68a9033ca02deb3e63ee9619aa16e8a3330727e8a34ebb9a259
Instruction ID: 3dc3bb99123ecc21080b6a50d5b14202b23b21c1ea7e12c25be962b806434968
Opcode Fuzzy Hash: 7dd3798fb176b68a9033ca02deb3e63ee9619aa16e8a3330727e8a34ebb9a259
Instruction Fuzzy Hash: 3751F470600601DFCB05EB24E89AB9A7BB2FB84625350A66DD4018B3B5DB799D46DFC0

Function 00CE1339 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa64bc9e8e7d521bb770341458dd8de40353d079e6f141766aab5d5b5a91755
Instruction ID: 4ae4fcf27cb6165ef14d8f84c762db84eebe79541ab6f835803e91a4c9f66441
Opcode Fuzzy Hash: caa64bc9e8e7d521bb770341458dd8de40353d079e6f141766aab5d5b5a91755
Instruction Fuzzy Hash: 67312234F002968FDB489B7998556AEBBF6FFC8310B14416DE906DB3A0DF309D028790

Function 00CE11D0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bdf468a5fb4fe76cbf2010e61cce42936e0fa751e406b99b6d7f2703997bc8
Instruction ID: 133460657faec08c8f5e368fb8b07fcbf249f8f52fb510a3a29ae6ac7c0064af
Opcode Fuzzy Hash: 91bdf468a5fb4fe76cbf2010e61cce42936e0fa751e406b99b6d7f2703997bc8
Instruction Fuzzy Hash: 0941C071B00249AFCB04EBB9C8446AEBBF6EFC8700F64C169D849D7355DA349E129B94

Function 00CE0D10 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8106edbd66ced12b84230c8ae2dde0ddf111932b799bea93e260792fbd00be1
Instruction ID: 1ad7b9d2bd64916b746bd4654ca862c1e0d4f264f57f383f44d13076c5a61645
Opcode Fuzzy Hash: c8106edbd66ced12b84230c8ae2dde0ddf111932b799bea93e260792fbd00be1
Instruction Fuzzy Hash: F4317E75A002449FDB15DF69C458BAEBBF2FF88300F248569E445AB361CB75AE44CB90

Function 00CE0998 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8569364450f5f7a3854eb7760496385a2537af9b503fb0da9b51424d63fdf8ec
Instruction ID: 754826d4a70458bdce6e6d1bf4c5d5a76a2c6431e59d184aedd5e12b2b1b5b70
Opcode Fuzzy Hash: 8569364450f5f7a3854eb7760496385a2537af9b503fb0da9b51424d63fdf8ec
Instruction Fuzzy Hash: A421623070178A8FEB689F77ED5933E3AA5AB14341770553DD413C2261EBB4CA80A7D5

Function 00CE09A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ff6f7587ceb6c7ddb7636cdb73ddb43f4441a5580d820e4675f799677902b8
Instruction ID: 675f1a6b49f4ddd346ad678e21669410229f62ba05cb761016796e822bd66eb2
Opcode Fuzzy Hash: 42ff6f7587ceb6c7ddb7636cdb73ddb43f4441a5580d820e4675f799677902b8
Instruction Fuzzy Hash: 5A216F3070178B8FDB58AF77A81972E3AA5AB00341770543D9812C2251EFB4CA80A7E5

Function 00CE1431 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150a6752432eab5fa15883a916d7471794522a00d58265fce9cd7dc3a1f1bd26
Instruction ID: 8c19d0c1ddc74f57557abc7711f7bc80d2b3016c6b5153c33c86a1bbdf06cc16
Opcode Fuzzy Hash: 150a6752432eab5fa15883a916d7471794522a00d58265fce9cd7dc3a1f1bd26
Instruction Fuzzy Hash: A111CB71A00241CFDB45DBBADA1866ABBF2AF88310764447CD806DB3A0EB35CD12DB80

Function 00CE1440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825c6d13c0dcc5ad4786e5dc77d3705f7acfddf5b89e8592ec07a6c4ded2f5cd
Instruction ID: e97b68033c4a81f012b0686ada3c6fb56d8a65245dce9e89a32dd47a7b9db909
Opcode Fuzzy Hash: 825c6d13c0dcc5ad4786e5dc77d3705f7acfddf5b89e8592ec07a6c4ded2f5cd
Instruction Fuzzy Hash: 1E11C030B00245CFCB44EBBADA0966A7BF6AF88710724047DD806DB390EA35DD02CBD0

Function 00CE0E3F Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd886df9f53fba15d5a28b1201a5c5cfd19d74efdcea2ce73e3bf14188830220
Instruction ID: 97ea11746eb1166a51e2a239b26e0d1adc9c002d45d772dd902de38b08d8d847
Opcode Fuzzy Hash: cd886df9f53fba15d5a28b1201a5c5cfd19d74efdcea2ce73e3bf14188830220
Instruction Fuzzy Hash: 57F08B307042500FE34EA73D681072F3FD79FCA2103A548B6E049CB3A2CE25CC028394

Function 00CE0E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1695782171.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_ce0000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16238bbcb6f6a1ac779f79fd5d5f557176f939f6a0614d2f7c3502142dae255
Instruction ID: 6fd12b3066738d0bf19a761fa9acc199b2313d68035070a29e5a2b33dab76bce
Opcode Fuzzy Hash: c16238bbcb6f6a1ac779f79fd5d5f557176f939f6a0614d2f7c3502142dae255
Instruction Fuzzy Hash: C1E0EC363002109F8748966EA88495ABBDAEBC95753654479E509C7325DE62DC014794

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DpmrYeeDGcj.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25kz3xwf.gef.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0cfo1k4.lob.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnyunbss.52i.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzrk4sr0.dfp.psm1

C:\Users\user\AppData\Local\Temp\tmpA9.tmp

C:\Users\user\AppData\Local\Temp\tmpED50.tmp

Windows Analysis Report
PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exe

Function 030CD309 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Function 030CD318 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON