Edit tour

Windows Analysis Report
Orden de compra HO-PO-376-25.exe

Overview

General Information

Sample name:	Orden de compra HO-PO-376-25.exe
Analysis ID:	1562617
MD5:	dcf506612856d6b0949977f0d8a69d09
SHA1:	34c33ed398e1d023f07b656c380176d982e3cdde
SHA256:	3bd34f842f57e9c8767fb1f12d573c017b26b14c99a345e01a3ec841efb8f962
Tags:	AgentTeslaexeuser-lowmal3
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Orden de compra HO-PO-376-25.exe (PID: 1432 cmdline: "C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe" MD5: DCF506612856D6B0949977F0D8A69D09)

Orden de compra HO-PO-376-25.exe (PID: 6328 cmdline: "C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe" MD5: DCF506612856D6B0949977F0D8A69D09)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.gizemetiket.com.tr", "Username": "pgizemM6", "Password": "giz95Ffg"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1312134468.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.3749743941.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3749743941.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3749743941.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 1432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 1432	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 1432	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 6328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 6328	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Orden de compra HO-PO-376-25.exe.5ae0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.409e790.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.5ae0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33091:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33103:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3318d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3321f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33289:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x332fb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33391:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33421:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x305b6:$s2: GetPrivateProfileString 0x2fc6f:$s3: get_OSFullName 0x312ba:$s5: remove_Key 0x31447:$s5: remove_Key 0x322ad:$s6: FtpWebRequest 0x33073:$s7: logins 0x335e5:$s7: logins 0x3635e:$s7: logins 0x363a8:$s7: logins 0x37ca6:$s7: logins 0x36f42:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31291:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31303:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3138d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3141f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31489:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x314fb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31591:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31621:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e7b6:$s2: GetPrivateProfileString 0x2de6f:$s3: get_OSFullName 0x2f4ba:$s5: remove_Key 0x2f647:$s5: remove_Key 0x304ad:$s6: FtpWebRequest 0x31273:$s7: logins 0x317e5:$s7: logins 0x3455e:$s7: logins 0x345a8:$s7: logins 0x35ea6:$s7: logins 0x35142:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31291:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31303:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3138d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3141f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31489:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x314fb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31591:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31621:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2e7b6:$s2: GetPrivateProfileString 0x2de6f:$s3: get_OSFullName 0x2f4ba:$s5: remove_Key 0x2f647:$s5: remove_Key 0x304ad:$s6: FtpWebRequest 0x31273:$s7: logins 0x317e5:$s7: logins 0x3455e:$s7: logins 0x345a8:$s7: logins 0x35ea6:$s7: logins 0x35142:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33091:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33103:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3318d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3321f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33289:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x332fb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33391:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33421:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x305b6:$s2: GetPrivateProfileString 0x2fc6f:$s3: get_OSFullName 0x312ba:$s5: remove_Key 0x31447:$s5: remove_Key 0x322ad:$s6: FtpWebRequest 0x33073:$s7: logins 0x335e5:$s7: logins 0x3635e:$s7: logins 0x363a8:$s7: logins 0x37ca6:$s7: logins 0x36f42:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33091:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6d6b1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33103:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6d723:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3318d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6d7ad:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3321f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6d83f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33289:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6d8a9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x332fb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6d91b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33391:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6d9b1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33421:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6da41:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x305b6:$s2: GetPrivateProfileString 0x6abd6:$s2: GetPrivateProfileString 0x2fc6f:$s3: get_OSFullName 0x6a28f:$s3: get_OSFullName 0x312ba:$s5: remove_Key 0x31447:$s5: remove_Key 0x6b8da:$s5: remove_Key 0x6ba67:$s5: remove_Key 0x322ad:$s6: FtpWebRequest 0x6c8cd:$s6: FtpWebRequest 0x33073:$s7: logins 0x335e5:$s7: logins 0x3635e:$s7: logins 0x363a8:$s7: logins 0x37ca6:$s7: logins 0x6d693:$s7: logins 0x6dc05:$s7: logins 0x7097e:$s7: logins 0x709c8:$s7: logins 0x722c6:$s7: logins 0x36f42:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xd0b81:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x257cd1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2922f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xd0bf3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x257d43:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x292363:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xd0c7d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x257dcd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x2923ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xd0d0f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x257e5f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x29247f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xd0d79:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x257ec9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2924e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xd0deb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x257f3b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x29255b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xd0e81:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x257fd1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2925f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0xce0a6:$s2: GetPrivateProfileString 0x2551f6:$s2: GetPrivateProfileString 0x28f816:$s2: GetPrivateProfileString 0xcd75f:$s3: get_OSFullName 0x2548af:$s3: get_OSFullName 0x28eecf:$s3: get_OSFullName 0xcedaa:$s5: remove_Key 0xcef37:$s5: remove_Key 0x255efa:$s5: remove_Key 0x256087:$s5: remove_Key 0x29051a:$s5: remove_Key 0x2906a7:$s5: remove_Key 0xcfd9d:$s6: FtpWebRequest 0x256eed:$s6: FtpWebRequest 0x29150d:$s6: FtpWebRequest 0xd0b63:$s7: logins 0xd10d5:$s7: logins 0xd3e4e:$s7: logins 0xd3e98:$s7: logins 0xd5796:$s7: logins 0x257cb3:$s7: logins
0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x10e89:$s1: file:/// 0x10de5:$s2: {11111-22222-10009-11112} 0x10e19:$s3: {11111-22222-50001-00000} 0xf1b3:$s4: get_Module 0xcda98:$s5: Reverse 0x254be8:$s5: Reverse 0x28f208:$s5: Reverse 0xd0362:$s6: BlockCopy 0x2574b2:$s6: BlockCopy 0x291ad2:$s6: BlockCopy 0x2d4b52:$s6: BlockCopy 0xcdcfd:$s7: ReadByte 0x254e4d:$s7: ReadByte 0x28f46d:$s7: ReadByte 0x2d49da:$s7: ReadByte 0x10e9b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 28 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://ftp.gizemetiket.com.tr

Avira URL Cloud: Label: malware

Found malware configuration

Source: 3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.gizemetiket.com.tr", "Username": "pgizemM6", "Password": "giz95Ffg"}

Multi AV Scanner detection for submitted file

Source: Orden de compra HO-PO-376-25.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Orden de compra HO-PO-376-25.exe

Joe Sandbox ML: detected

Source: Orden de compra HO-PO-376-25.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49701 version: TLS 1.2

Source: Orden de compra HO-PO-376-25.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: EXQa.pdbSHA256 source: Orden de compra HO-PO-376-25.exe
Source:	Binary string: EXQa.pdb source: Orden de compra HO-PO-376-25.exe

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 93.89.225.40 93.89.225.40
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: TR-FBSTR TR-FBSTR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

FTP traffic detected: 93.89.225.40:21 -> 192.168.2.7:50005 220 Microsoft FTP Service

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.gizemetiket.com.tr

Source: Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002D5D000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.000000000311C000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002D02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.gizemetiket.com.tr
Source: Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Orden de compra HO-PO-376-25.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49701 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, hxAF.cs	.Net Code: fM6x5OA38
Source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack, hxAF.cs	.Net Code: fM6x5OA38

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_0177D344	0_2_0177D344
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073ECF38	0_2_073ECF38
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073EECF8	0_2_073EECF8
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073EB640	0_2_073EB640
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073E0560	0_2_073E0560
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073E0550	0_2_073E0550
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073E95B8	0_2_073E95B8
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073E9180	0_2_073E9180
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073ECF28	0_2_073ECF28
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073EAC90	0_2_073EAC90
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073E99E0	0_2_073E99E0
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_0129E0D8	3_2_0129E0D8
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_0129A210	3_2_0129A210
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_0129A9E0	3_2_0129A9E0
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_01294A58	3_2_01294A58
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_0129DC60	3_2_0129DC60
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_01293E40	3_2_01293E40
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_01294188	3_2_01294188
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068F55C0	3_2_068F55C0
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068F65D0	3_2_068F65D0
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068F7D60	3_2_068F7D60
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068FB220	3_2_068FB220
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068F2398	3_2_068F2398
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068F7680	3_2_068F7680
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068F5CC8	3_2_068F5CC8
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068FE390	3_2_068FE390
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068F0040	3_2_068F0040
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_069E1408	3_2_069E1408
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_069E1402	3_2_069E1402
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_068F0007	3_2_068F0007

Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309274174.00000000030C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5bc4a179-7022-47b4-bc67-c0ba357abdc4.exe4 vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309274174.0000000003081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1312134468.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000000.1292169321.0000000000D92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXQa.exe@ vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1306555952.00000000011FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5bc4a179-7022-47b4-bc67-c0ba357abdc4.exe4 vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000000.00000002.1312679400.0000000007720000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748881371.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dll vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5bc4a179-7022-47b4-bc67-c0ba357abdc4.exe4 vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748486232.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Orden de compra HO-PO-376-25.exe
Source: Orden de compra HO-PO-376-25.exe	Binary or memory string: OriginalFilenameEXQa.exe@ vs Orden de compra HO-PO-376-25.exe

Source: Orden de compra HO-PO-376-25.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: Orden de compra HO-PO-376-25.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Orden de compra HO-PO-376-25.exe.5ae0000.3.raw.unpack, id.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, N43UVggPg.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, Ow96S4wT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, MjzNdC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, MjzNdC.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, r8uIPt2QaG5cmZqHq5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, r8uIPt2QaG5cmZqHq5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, r8uIPt2QaG5cmZqHq5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, CvbaCAA7okLeRqivGe.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de compra HO-PO-376-25.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Mutant created: NULL

Source: Orden de compra HO-PO-376-25.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Orden de compra HO-PO-376-25.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Orden de compra HO-PO-376-25.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe "C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process created: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe "C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process created: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe "C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Orden de compra HO-PO-376-25.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Orden de compra HO-PO-376-25.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Orden de compra HO-PO-376-25.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: EXQa.pdbSHA256 source: Orden de compra HO-PO-376-25.exe
Source:	Binary string: EXQa.pdb source: Orden de compra HO-PO-376-25.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Orden de compra HO-PO-376-25.exe.5ae0000.3.raw.unpack, id.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: Orden de compra HO-PO-376-25.exe, LogInGUI.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, r8uIPt2QaG5cmZqHq5.cs	.Net Code: fF0lp4iH5c System.Reflection.Assembly.Load(byte[])

Source: Orden de compra HO-PO-376-25.exe

Static PE information: 0xFC306515 [Tue Jan 29 06:07:17 2104 UTC]

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073EC3F6 push esp; retf	0_2_073EC3F7
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073EC2E8 push eax; retf	0_2_073EC2E9
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073E8DD5 pushad ; retf	0_2_073E8DD6
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 0_2_073E8A17 push esp; retf	0_2_073E8A18
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_01290C6D push edi; retf	3_2_01290C7A
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_01290C45 push ebx; retf	3_2_01290C52
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_069E8758 push es; ret	3_2_069E8764
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_069EAD0F push es; ret	3_2_069EAD10
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Code function: 3_2_069ED6D8 push 3A48069Dh; ret	3_2_069ED6E6

Source: Orden de compra HO-PO-376-25.exe

Static PE information: section name: .text entropy: 7.939518186580135

Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, KrGXNpzUCfLZyc2hHp.cs	High entropy of concatenated method names: 'FlDgFifkr8', 'mPkgARqC4d', 'WiogRyOdqc', 'gMjgtxAmW2', 'wk5g8wZD6S', 'SkhgSYDT5T', 'OkNgChp3Rm', 'Mqyg5bGau6', 'V75g9h138d', 'ECpgysmclR'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, UgyyIMWyjhuduGcm0E.cs	High entropy of concatenated method names: 'rxHO6eN4Xi', 'KJFOntNioA', 'yH83oiIOHR', 'XUX3SG6Kwd', 'cK73CIwx7Z', 'f7C3Gc2PJx', 'Ai837NgmvC', 'Kbt3PRIXsr', 'LSY3LojQbD', 'X813h2lW4B'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, j2ghBJjuPboNrHZlarv.cs	High entropy of concatenated method names: 'ToString', 'EGEIAlbIym', 'zoOIRLFRT0', 'P8FIWuafjB', 'fwJItokXwh', 'cZyI8Cl1tU', 'mFvIoYw37X', 'BHsIS9yDWB', 'BkHItEog1j39TSa24RA', 'cBowj7oSRdRQ6NLBYci'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, ovMkCYxexMMY8qkiki.cs	High entropy of concatenated method names: 'BECUv2iBaf', 'qnVUi2uYCX', 'pXAUUIBIkV', 'ishUIi24N5', 'h8OUN8r7vS', 'pYZU5URZ9H', 'Dispose', 'FeeDQTC0ha', 'QLPDdc2hKV', 'WAqD3HnmID'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, tRVnmaamlivpimTK3u.cs	High entropy of concatenated method names: 'X9SisFkEim', 'e8qiw2Ohve', 'W7LDcWpmUo', 'cuXDjEJXMc', 'FSEiHrPATu', 'zteimopqdV', 'ULkiEZaeSJ', 'cU5i0Y8wMV', 'qYTiMPc52Q', 'kkKibeW3fY'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, j7Yr6a0BOgvh9vdnur.cs	High entropy of concatenated method names: 'Nw3vhoFnNA', 'hs9vmRUs7w', 'l2Iv0oSy6G', 'xHivM3cCjL', 'PaRv83QC3L', 'LcWvodMw9l', 'ztTvS2ZTFC', 'VAbvCChIjU', 'pknvGjuVQJ', 'SMvv73h6KM'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, J5N6ZUu9HpBLmrF07m.cs	High entropy of concatenated method names: 'irvpeHAMv', 'Qb8kfIMdM', 'auZF3Mvko', 'KhMndpJOT', 'RdxRsVcQA', 'gPUWcToJJ', 'kL6d4iPF5TIy7l2X3b', 'bh3MvS2rlWk0sARn46', 'mUCDoLaHb', 'Hb0gKBKMS'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, bQQBnIjlSVRL1jvI3Tp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'o2rKUjYVyk', 'psIKgEfW9d', 'FNNKIPxH5L', 'CFHKKACBC6', 'E7bKN71cxl', 'kcnK4yJIle', 'jrtK519xnJ'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, wHoBTel7yvTEJwI3XW.cs	High entropy of concatenated method names: 'WjFjVvbaCA', 'Lokj2LeRqi', 'b5fj19Hg7S', 'pf7jYFZgyy', 'Kcmjv0E8AF', 'L5AjeqvEn3', 'cYCpXPJ8oAQF68v3le', 'fiKEeEzA1jGAhPMYQD', 'TsDjj6g7TK', 'HQ1jXLqMin'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, EhiyXLJnOWLvLAAi3w.cs	High entropy of concatenated method names: 'mq4Ut8UBPs', 'aJLU89Gt06', 'AFUUol2GW8', 'fjiUSUqrfC', 'NeFUCSNtmp', 'OvcUGAKrUH', 'tUfU7JuwvD', 'dy8UPqieuo', 'BnSULXN94c', 'biUUhxQlqJ'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, r8uIPt2QaG5cmZqHq5.cs	High entropy of concatenated method names: 'AGbXBRYFJD', 'An9XQh88cR', 'r0iXdjuL5i', 'MJIX3l3Pwo', 'MuEXOcKpmZ', 'XsbXTVNL1r', 'GW4XVdBCKD', 'u9BX2Rugi1', 'zS5XrPgkG3', 'nePX1JCQ6o'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, zMYjbAq4GYbmhKoXgp.cs	High entropy of concatenated method names: 'q08i1n4Fx7', 'WYliY1YRpa', 'ToString', 'OWPiQtCGNI', 'U5AidApmVH', 'arCi35vEoX', 'Lq4iOmrPnW', 'ByoiTGg6lw', 'wJCiV0OMvU', 'hkIi2JwUFC'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, whinbVjjef5Sb5h3XFk.cs	High entropy of concatenated method names: 'i2hgwFGsrX', 'GlIgzDZuZ2', 'Us5IcSLYEG', 'RVRIjlv2Fb', 'K6LIu91OlJ', 'IXrIXw0LDc', 'KRbIlvvd1m', 'fwuIBKuTBh', 'yHkIQAXWav', 'ulFIdM1veQ'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, IDvEgjR5f9Hg7Sef7F.cs	High entropy of concatenated method names: 'MwC3kOUO03', 'lyR3FtHtyM', 'hcc3AbL3kO', 'ugi3Rmte9n', 'ByG3vHx73Y', 'VcD3ebH4nN', 'sev3iKMpbt', 'eXD3DFw72F', 'Oc93UVJ8xQ', 'gK43gr8tku'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, GAF75AtqvEn3XFlJ6L.cs	High entropy of concatenated method names: 'mc8TBkvUs4', 'rjwTdJrybv', 'ON6TOIy0te', 'mjHTVdLKbj', 'UBIT2f77KU', 'xFAOZLKxGV', 'nO8OagnZxJ', 'I8JOxAtLBY', 'Vo9OsPxF6a', 'sWSOJfJLZM'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, LupxQIwQctV1G5VmLk.cs	High entropy of concatenated method names: 'FFXg3acIPh', 'POhgOCNRxC', 'x9CgTOdKoT', 'k7SgVnGbGg', 'u4RgUtLja4', 'Xefg2lUX95', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, CvbaCAA7okLeRqivGe.cs	High entropy of concatenated method names: 'Bfmd09phYR', 'KYodMEX1Di', 'TeUdbYkYiO', 'Fvydq4bugS', 'Em3dZDKTDW', 'IR6daiWjJy', 'j89dxwsVgJ', 'e7odsL7s3E', 'xyKdJNO6Xc', 'xKjdwEU3RE'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, YbjT0UdjRjmgw7e0rd.cs	High entropy of concatenated method names: 'Dispose', 'RMYjJ8qkik', 'Ns9u8stjy9', 'ueJIan3AB9', 'qPBjwfwfnN', 'Hr2jzR7wCn', 'ProcessDialogKey', 'ihAuchiyXL', 'COWujLvLAA', 'p3wuu7upxQ'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, NONh7AEZCeAm8LMHoH.cs	High entropy of concatenated method names: 'ULyfAy2wo9', 'LTrfRZXMbB', 'YaJftghbMg', 'MNJf8pW3jr', 'WRIfSDS6hw', 'feZfCfnIaH', 'cfff7WcBSF', 'emIfPXCP0V', 'Ms9fh8KC3i', 'G7XfHJyEPM'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, x25NtxbWRpOTlGHQmj.cs	High entropy of concatenated method names: 'ToString', 'CE6eH8RONw', 'z65e8MvfKl', 'xJ1eokfdGu', 'MQeeS77cdJ', 'G2DeC8gK1U', 'DfLeGMgEEO', 'Bn5e7HZIBF', 'XYVePrd5CB', 'GK4eLWL2OU'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, CYZ8ZCL7Jpkx9eEvL1.cs	High entropy of concatenated method names: 'FT8V9OkJoN', 'yYXVyaRuyC', 'lZ9Vp4yQIN', 'RajVkhMJnW', 'dcdV6DPImW', 'Yy0VFp2SAg', 'Y3YVnWw8kK', 'zwoVAi9S6g', 'h2BVR23Unl', 'iGmVWL6QAg'
Source: 0.2.Orden de compra HO-PO-376-25.exe.7720000.4.raw.unpack, NbAAwRjcqkJkBndFJCq.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lJngHEFFcl', 'v9kgmM1Vkb', 'mlNgEJdqlS', 'fmEg0paPQf', 'UwGgMHGFp6', 'atmgbDvJXw', 'jxQgqMmhif'

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 1432, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 1720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 5080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 7C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 8C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 9DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Memory allocated: 2B80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599014	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598030	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597701	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597257	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Window / User API: threadDelayed 7991			Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Window / User API: threadDelayed 1874			Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

API coverage: 7.7 %

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -599452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -599014s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -598796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -598577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -598468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -598249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -598030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -597921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -597701s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -597257s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -595499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -595156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -594718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe TID: 7092	Thread sleep time: -594609s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599452	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 599014	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598796	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598577	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598468	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598249	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 598030	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597921	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597701	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597257	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595499	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748881371.0000000000FA5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Memory written: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Process created: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe "C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3749743941.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3749743941.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 1432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 6328, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.5ae0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.5ae0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1312134468.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3749743941.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 1432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 6328, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 3.2.Orden de compra HO-PO-376-25.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42fd9f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.42c33d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3749743941.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3749743941.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 1432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Orden de compra HO-PO-376-25.exe PID: 6328, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.5ae0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.5ae0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1312134468.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.Orden de compra HO-PO-376-25.exe.409e790.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Orden de compra HO-PO-376-25.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
Orden de compra HO-PO-376-25.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://ftp.gizemetiket.com.tr	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		high
ftp.gizemetiket.com.tr	93.89.225.40	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://account.dyn.com/	Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ftp.gizemetiket.com.tr	Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002D5D000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.000000000311C000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002D02000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/DataSet1.xsd	Orden de compra HO-PO-376-25.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
93.89.225.40	ftp.gizemetiket.com.tr	Turkey		51557	TR-FBSTR	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562617
Start date and time:	2024-11-25 19:28:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Orden de compra HO-PO-376-25.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 89 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Orden de compra HO-PO-376-25.exe

Simulations

Behavior and APIs

Time	Type	Description
13:29:04	API Interceptor	11516239x Sleep call for process: Orden de compra HO-PO-376-25.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
93.89.225.40	order and drawings_pdf.exe	Get hash	malicious	AgentTesla	Browse
	Factura de proforma.exe	Get hash	malicious	AgentTesla	Browse
	Pago por adelantado_ USD 72000 (50%).exe	Get hash	malicious	AgentTesla	Browse
	pago de PEDIDO PROFORMA.exe	Get hash	malicious	AgentTesla	Browse
	Copia pendiente de pago Proveedor 107924.exe	Get hash	malicious	AgentTesla	Browse
	NUOVO PO 72968.exe	Get hash	malicious	AgentTesla	Browse
	Copia de pago de la Orden de compra OI16014 y OI16015.exe	Get hash	malicious	AgentTesla	Browse
	Ordine d'acquisto OI16014 e OI1601.exe	Get hash	malicious	AgentTesla	Browse
	#Uad6c#Ub9e4 #Uc8fc#Ubb38 658749 #Ubc0f 658752..exe	Get hash	malicious	AgentTesla	Browse
	Orden de compra 516-57406.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ftp.gizemetiket.com.tr	order and drawings_pdf.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Factura de proforma.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Pago por adelantado_ USD 72000 (50%).exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	pago de PEDIDO PROFORMA.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Copia pendiente de pago Proveedor 107924.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	NUOVO PO 72968.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Copia de pago de la Orden de compra OI16014 y OI16015.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Ordine d'acquisto OI16014 e OI1601.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	#Uad6c#Ub9e4 #Uc8fc#Ubb38 658749 #Ubc0f 658752..exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Orden de compra 516-57406.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
api.ipify.org	RICHIESTA D'OFFERTA.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.12.205
	DJ5PhUwOsM.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DATASHEET.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	172.67.74.152
	mDHwap5GlV.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	zapret.exe	Get hash	malicious	Unknown	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TR-FBSTR	order and drawings_pdf.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Factura de proforma.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Pago por adelantado_ USD 72000 (50%).exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	pago de PEDIDO PROFORMA.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Copia pendiente de pago Proveedor 107924.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	NUOVO PO 72968.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Copia de pago de la Orden de compra OI16014 y OI16015.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	Ordine d'acquisto OI16014 e OI1601.exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	#Uad6c#Ub9e4 #Uc8fc#Ubb38 658749 #Ubc0f 658752..exe	Get hash	malicious	AgentTesla	Browse	93.89.225.40
	http://instagramlogin.com.tr/	Get hash	malicious	Unknown	Browse	93.89.226.17
CLOUDFLARENETUS	https://myworkspaceb7705.myclickfunnels.com/ville-de-rouyn-noranda	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	104.18.35.212
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.187.240
	uniswap-sniper-bot-with-gui Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	_Rmcgaughy_Sonicwall inc._Financial...2024-jxj9FL.svg	Get hash	malicious	Unknown	Browse	104.21.66.145
	_Rmcgaughy_Sonicwall inc._Financial...2024-jxj9FL.svg	Get hash	malicious	Unknown	Browse	172.67.205.48
	uniswap-sniper-bot-with-gui Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	INV-0542.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.177.134
	Evidence of copyright infringement (2).bat	Get hash	malicious	Unknown	Browse	104.21.81.137
	Evidence of copyright infringement.bat	Get hash	malicious	Unknown	Browse	172.67.189.157
	Compilation of videos and images protected by copyright.bat	Get hash	malicious	Unknown	Browse	104.21.81.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	Cryptbot	Browse	172.67.74.152
	INV-0542.pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.74.152
	Evidence of copyright infringement (2).bat	Get hash	malicious	Unknown	Browse	172.67.74.152
	Evidence of copyright infringement.bat	Get hash	malicious	Unknown	Browse	172.67.74.152
	Compilation of videos and images protected by copyright.bat	Get hash	malicious	Unknown	Browse	172.67.74.152
	Verzameling van video's en afbeeldingen die beschermd zijn door auteursrecht (2).bat	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	xeno.bat	Get hash	malicious	Unknown	Browse	172.67.74.152
	X4S15uEwg5.bat	Get hash	malicious	Unknown	Browse	172.67.74.152
	JDHh9P2IVM.bat	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.93132456588385
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Orden de compra HO-PO-376-25.exe
File size:	718'848 bytes
MD5:	dcf506612856d6b0949977f0d8a69d09
SHA1:	34c33ed398e1d023f07b656c380176d982e3cdde
SHA256:	3bd34f842f57e9c8767fb1f12d573c017b26b14c99a345e01a3ec841efb8f962
SHA512:	c9afa0b2ad51b315b7df0b308c0ff3252dbfc4504c861d6dd2b4f2f2163403752f46193f79115ccaac9fee938cd2aa32a8dcac37fe9ca988cf23ebb4651266b5
SSDEEP:	12288:QCSZK3RbeXGvFNqZIHaLfHNRXLQQb2qQW3FOhm/sspWV12xKgSQZaN+:QvZK35eXuNqaa7PQ5qchqpq2Ygq+
TLSH:	9EE4125033A89F36D5BE53FA190AB24403B194576272D38C0ECAA1DF1F53B629A23F57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e0...............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b0bc2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFC306515 [Tue Jan 29 06:07:17 2104 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0b70	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x628	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xae120	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaebc8	0xaec00	6c5fd06157c33df28555302a62afa5cc	False	0.9478691657725322	data	7.939518186580135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x628	0x800	bca26ba9b58af48eb9b313b5f9faf979	False	0.33837890625	data	3.466311275592606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	8608a77e637b769322319fcef6d8e11f	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb2090	0x398	OpenPGP Public Key			0.4217391304347826
RT_MANIFEST	0xb2438	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 19:29:06.836779118 CET	49701	443	192.168.2.7	172.67.74.152
Nov 25, 2024 19:29:06.836821079 CET	443	49701	172.67.74.152	192.168.2.7
Nov 25, 2024 19:29:06.836889982 CET	49701	443	192.168.2.7	172.67.74.152
Nov 25, 2024 19:29:06.844440937 CET	49701	443	192.168.2.7	172.67.74.152
Nov 25, 2024 19:29:06.844468117 CET	443	49701	172.67.74.152	192.168.2.7
Nov 25, 2024 19:29:08.163141966 CET	443	49701	172.67.74.152	192.168.2.7
Nov 25, 2024 19:29:08.163223982 CET	49701	443	192.168.2.7	172.67.74.152
Nov 25, 2024 19:29:08.168514967 CET	49701	443	192.168.2.7	172.67.74.152
Nov 25, 2024 19:29:08.168534040 CET	443	49701	172.67.74.152	192.168.2.7
Nov 25, 2024 19:29:08.168915033 CET	443	49701	172.67.74.152	192.168.2.7
Nov 25, 2024 19:29:08.208978891 CET	49701	443	192.168.2.7	172.67.74.152
Nov 25, 2024 19:29:08.254632950 CET	49701	443	192.168.2.7	172.67.74.152
Nov 25, 2024 19:29:08.295334101 CET	443	49701	172.67.74.152	192.168.2.7
Nov 25, 2024 19:29:08.788938999 CET	443	49701	172.67.74.152	192.168.2.7
Nov 25, 2024 19:29:08.789002895 CET	443	49701	172.67.74.152	192.168.2.7
Nov 25, 2024 19:29:08.789091110 CET	49701	443	192.168.2.7	172.67.74.152
Nov 25, 2024 19:29:08.900969982 CET	49701	443	192.168.2.7	172.67.74.152
Nov 25, 2024 19:29:10.304809093 CET	49704	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:29:10.429229975 CET	21	49704	93.89.225.40	192.168.2.7
Nov 25, 2024 19:29:10.429316998 CET	49704	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:29:10.433466911 CET	49704	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:29:10.553692102 CET	21	49704	93.89.225.40	192.168.2.7
Nov 25, 2024 19:29:10.553762913 CET	49704	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:30:30.854331017 CET	49883	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:30:30.979183912 CET	21	49883	93.89.225.40	192.168.2.7
Nov 25, 2024 19:30:30.979298115 CET	49883	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:30:30.979613066 CET	49883	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:30:31.102864981 CET	21	49883	93.89.225.40	192.168.2.7
Nov 25, 2024 19:30:31.102927923 CET	49883	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:30:40.681818962 CET	49905	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:30:40.801848888 CET	21	49905	93.89.225.40	192.168.2.7
Nov 25, 2024 19:30:40.802037001 CET	49905	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:30:40.846390009 CET	49905	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:30:40.966746092 CET	21	49905	93.89.225.40	192.168.2.7
Nov 25, 2024 19:30:40.972793102 CET	49905	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:06.954829931 CET	49962	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:07.076077938 CET	21	49962	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:07.076194048 CET	49962	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:07.076364994 CET	49962	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:07.199254990 CET	21	49962	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:07.199404001 CET	49962	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:09.759934902 CET	49970	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:09.925776958 CET	21	49970	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:09.925849915 CET	49970	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:09.926017046 CET	49970	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:09.967907906 CET	49971	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:10.048367023 CET	21	49970	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:10.061469078 CET	21	49970	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:10.061516047 CET	49970	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:10.088363886 CET	21	49971	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:10.088452101 CET	49971	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:10.088696957 CET	49971	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:10.208947897 CET	21	49971	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:10.208995104 CET	49971	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:11.936959982 CET	49975	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:12.061350107 CET	21	49975	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:12.061434984 CET	49975	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:12.061682940 CET	49975	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:12.197397947 CET	21	49975	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:12.197453976 CET	49975	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:22.572218895 CET	49985	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:22.692590952 CET	21	49985	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:22.692679882 CET	49985	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:22.692863941 CET	49985	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:22.818294048 CET	21	49985	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:22.818351984 CET	49985	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:37.338318110 CET	49986	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:37.459836960 CET	21	49986	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:37.460114002 CET	49986	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:37.460372925 CET	49986	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:37.580677986 CET	21	49986	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:37.581382036 CET	49986	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:41.323884010 CET	49987	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:41.449533939 CET	21	49987	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:41.449949026 CET	49987	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:41.450339079 CET	49987	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:41.818850994 CET	49987	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:42.059185982 CET	21	49987	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:42.063407898 CET	21	49987	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:42.063446999 CET	49987	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:46.626682997 CET	49988	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:46.747050047 CET	21	49988	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:46.747132063 CET	49988	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:46.747365952 CET	49988	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:47.102092981 CET	49988	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:47.343595028 CET	21	49988	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:47.343630075 CET	21	49988	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:47.343739033 CET	49988	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:50.453918934 CET	49989	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:50.643102884 CET	21	49989	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:50.643186092 CET	49989	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:50.643368959 CET	49989	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:50.765882015 CET	21	49989	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:50.766006947 CET	49989	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:51.151335955 CET	49990	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:51.274300098 CET	21	49990	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:51.274478912 CET	49990	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:51.274688959 CET	49990	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:51.339345932 CET	49991	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:51.397990942 CET	21	49990	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:51.403373003 CET	49990	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:51.465163946 CET	21	49991	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:51.471369982 CET	49991	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:51.488337994 CET	49991	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:31:51.791937113 CET	21	49991	93.89.225.40	192.168.2.7
Nov 25, 2024 19:31:51.792062044 CET	49991	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:07.105329990 CET	49992	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:07.226300001 CET	21	49992	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:07.226787090 CET	49992	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:07.226787090 CET	49992	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:07.347282887 CET	21	49992	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:07.347445011 CET	49992	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:10.113166094 CET	49993	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:10.234545946 CET	21	49993	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:10.234638929 CET	49993	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:10.234900951 CET	49993	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:10.355129004 CET	21	49993	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:10.355204105 CET	49993	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:11.573450089 CET	49994	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:11.693820000 CET	21	49994	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:11.695467949 CET	49994	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:11.695779085 CET	49994	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:11.818543911 CET	21	49994	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:11.818644047 CET	49994	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:12.845535040 CET	49995	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:12.965769053 CET	21	49995	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:12.965876102 CET	49995	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:12.966056108 CET	49995	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:13.088831902 CET	21	49995	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:13.088933945 CET	49995	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:24.889220953 CET	49996	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:25.009659052 CET	21	49996	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:25.009747028 CET	49996	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:25.009958029 CET	49996	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:25.132047892 CET	21	49996	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:25.137444019 CET	49996	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:30.514906883 CET	49997	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:30.637540102 CET	21	49997	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:30.637641907 CET	49997	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:30.637891054 CET	49997	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:30.758336067 CET	21	49997	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:30.758399010 CET	49997	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:35.197869062 CET	49998	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:35.321602106 CET	21	49998	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:35.325603008 CET	49998	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:35.325603008 CET	49998	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:35.449964046 CET	21	49998	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:35.453438044 CET	49998	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:47.981359959 CET	49999	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:48.101793051 CET	21	49999	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:48.101875067 CET	49999	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:48.102109909 CET	49999	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:48.222408056 CET	21	49999	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:48.222474098 CET	49999	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:52.953871012 CET	50000	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:53.074254990 CET	21	50000	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:53.074506044 CET	50000	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:53.074634075 CET	50000	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:32:53.195122004 CET	21	50000	93.89.225.40	192.168.2.7
Nov 25, 2024 19:32:53.199657917 CET	50000	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:01.921384096 CET	50001	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:02.048388004 CET	21	50001	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:02.049491882 CET	50001	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:02.049681902 CET	50001	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:02.176239014 CET	21	50001	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:02.176291943 CET	50001	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:04.825342894 CET	50002	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:04.946054935 CET	21	50002	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:04.946362972 CET	50002	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:04.946460962 CET	50002	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:05.072299004 CET	21	50002	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:05.074996948 CET	21	50002	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:05.075165033 CET	50002	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:05.339227915 CET	50003	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:05.466182947 CET	21	50003	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:05.466326952 CET	50003	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:05.466578007 CET	50003	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:05.593554974 CET	21	50003	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:05.597445011 CET	50003	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:09.323420048 CET	50004	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:09.444847107 CET	21	50004	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:09.445455074 CET	50004	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:09.445601940 CET	50004	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:09.568089962 CET	21	50004	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:09.568228006 CET	50004	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:11.557933092 CET	50005	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:11.689610004 CET	21	50005	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:11.689764977 CET	50005	21	192.168.2.7	93.89.225.40
Nov 25, 2024 19:33:13.008523941 CET	21	50005	93.89.225.40	192.168.2.7
Nov 25, 2024 19:33:13.053553104 CET	50005	21	192.168.2.7	93.89.225.40

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 19:29:06.686902046 CET	51329	53	192.168.2.7	1.1.1.1
Nov 25, 2024 19:29:06.829432011 CET	53	51329	1.1.1.1	192.168.2.7
Nov 25, 2024 19:29:09.526451111 CET	61143	53	192.168.2.7	1.1.1.1
Nov 25, 2024 19:29:10.304095984 CET	53	61143	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 19:29:06.686902046 CET	192.168.2.7	1.1.1.1	0x15ae	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 19:29:09.526451111 CET	192.168.2.7	1.1.1.1	0x8988	Standard query (0)	ftp.gizemetiket.com.tr	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 19:29:06.829432011 CET	1.1.1.1	192.168.2.7	0x15ae	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 25, 2024 19:29:06.829432011 CET	1.1.1.1	192.168.2.7	0x15ae	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 19:29:06.829432011 CET	1.1.1.1	192.168.2.7	0x15ae	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 19:29:10.304095984 CET	1.1.1.1	192.168.2.7	0x8988	No error (0)	ftp.gizemetiket.com.tr	93.89.225.40	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	172.67.74.152	443	6328	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 18:29:08 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-25 18:29:08 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 18:29:08 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e83b3d8dc2243d5-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1590&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1819314&cwnd=240&unsent_bytes=0&cid=359af43fee1adad4&ts=637&x=0"
2024-11-25 18:29:08 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 25, 2024 19:33:13.008523941 CET	21	50005	93.89.225.40	192.168.2.7	220 Microsoft FTP Service

Target ID:	0
Start time:	13:29:04
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"
Imagebase:	0xce0000
File size:	718'848 bytes
MD5 hash:	DCF506612856D6B0949977F0D8A69D09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1312134468.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:29:05
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"
Imagebase:	0x850000
File size:	718'848 bytes
MD5 hash:	DCF506612856D6B0949977F0D8A69D09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3749743941.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3749743941.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3749743941.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.8%
Total number of Nodes:	248
Total number of Limit Nodes:	12

Executed Functions

Function 073EECF8 Relevance: .6, Instructions: 631COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1deb41226d647188ad78c0b1ea27ea25b1fe15e8c934c2ed63f09d8c43504f
Instruction ID: 5bcb9291c8ede44253ce74fd4746c368a6c85d309084198f5872d683579cf335
Opcode Fuzzy Hash: 3b1deb41226d647188ad78c0b1ea27ea25b1fe15e8c934c2ed63f09d8c43504f
Instruction Fuzzy Hash: 4E32BFB1B012168FFB18DB79C454BAEB7FAAF89300F244469E00A9B394CB71ED01CB51

Function 073ECF38 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689823fbad2a2541657684cb167aa96304658092e26de0d0c0b0a37f3b91cc63
Instruction ID: 7971cf8abed3822489a00cdf02e0c64ff824a3e54529f8bafd5a560b263ec9a1
Opcode Fuzzy Hash: 689823fbad2a2541657684cb167aa96304658092e26de0d0c0b0a37f3b91cc63
Instruction Fuzzy Hash: BF71FAB1E15629CBEB24CF66C9407D9F7BABF89300F14D1AAD40DA7294DB705A86CF40

Function 073EBDB5 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073EBFF6

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 78a02c6424cf5ef84af8d9b35bfdb169d3c138466b9f3c34c09583c369cb4b5f
Instruction ID: 188abf100aa380170fbac6cb79a20607931dd587d581c42356b51a58e0ab5013
Opcode Fuzzy Hash: 78a02c6424cf5ef84af8d9b35bfdb169d3c138466b9f3c34c09583c369cb4b5f
Instruction Fuzzy Hash: AE915DB1D00229DFEB25CF68C841BEDFBB6BF44314F14816AE818A7280D7749985CF92

Function 073EBDC0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073EBFF6

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 537195dbfc82959d258d0b0dcae06c75b9f16ea01938c07f508e2b5c155d02fd
Instruction ID: 4372b5ba6bf194c342a04cbb554b52a6fab1a3865ced4eae3f436db957b22fc4
Opcode Fuzzy Hash: 537195dbfc82959d258d0b0dcae06c75b9f16ea01938c07f508e2b5c155d02fd
Instruction Fuzzy Hash: 11914DB1D00329DFEB25CF68C841BEDBBB6AF44314F148569E818A7280D7759985CF92

Function 0177AD88 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0177AFDE

Memory Dump Source

Source File: 00000000.00000002.1308967620.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d092c70f3d6bdbeece9846f310c9cdb85684b319ea820225c3bfa9301b94bd29
Instruction ID: 3499c1466508c8f2cc4e65a45e392279bf2b488da7e49372a323323c4aeb7fcb
Opcode Fuzzy Hash: d092c70f3d6bdbeece9846f310c9cdb85684b319ea820225c3bfa9301b94bd29
Instruction Fuzzy Hash: 26713770A00B058FEB25DF29D45579AFBF1FF88204F04892EE48AD7A50D775E849CB91

Function 017744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017759C9

Memory Dump Source

Source File: 00000000.00000002.1308967620.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a84e9c7564d593007f5f71670ab36c8ce600afbcb677cc8cef19eea8b1e459d1
Instruction ID: 24656b155216ac2f3820ade12114aa6ef81d709bf012c810278bbbf4102e4ace
Opcode Fuzzy Hash: a84e9c7564d593007f5f71670ab36c8ce600afbcb677cc8cef19eea8b1e459d1
Instruction Fuzzy Hash: 6C41CF71C00719CFEB24DFA9C884BCDBBB5BF49304F20846AD409AB251DB756946CF90

Function 0177590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017759C9

Memory Dump Source

Source File: 00000000.00000002.1308967620.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1dbcd15451334675a98db9b4b8a17b58ee2d95d6b38f2dfd014eaf9ac5341f3b
Instruction ID: f3ae088702698b942f68c27916cd39258de3695f7daf4c0bfa8ac52478b18d23
Opcode Fuzzy Hash: 1dbcd15451334675a98db9b4b8a17b58ee2d95d6b38f2dfd014eaf9ac5341f3b
Instruction Fuzzy Hash: 5741EFB1C00719CFEB24DFA9C884BCDBBB1BF49704F20806AD409AB251DB756946CF50

Function 073EBB31 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073EBBC8

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 65b86dd5965cdad4a591768a0cbb130308579059ea48debfa1ae03625ac02b2d
Instruction ID: 6f1548d96a458a20f04391d59022467820ba845eacd588982baea606307f330d
Opcode Fuzzy Hash: 65b86dd5965cdad4a591768a0cbb130308579059ea48debfa1ae03625ac02b2d
Instruction Fuzzy Hash: 6A2139B59003599FDB10CFAAC981BEEBBF5FF48310F10882AE559A7240C7789544CBA5

Function 073EBC20 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073EBCA8

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0510c3b103c6f64d2bc8fc69369946b30dd93b96fd5008a02bbe2cd99ce3bd5a
Instruction ID: cbfd0bd6b19388bcc4ca5d3c5aa32496a3d266698d913f0e2428f41b9d5246ac
Opcode Fuzzy Hash: 0510c3b103c6f64d2bc8fc69369946b30dd93b96fd5008a02bbe2cd99ce3bd5a
Instruction Fuzzy Hash: 8C2157B18003599FDB10CFAAD880BEEFBF4FF48310F10842AE559A7240CB3995418BA1

Function 073EBB38 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073EBBC8

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7bf08348f87ddb4b5fbc2a7f720ccc9c15cdf96666286bfab32ed16a51f08b5a
Instruction ID: 4b4dad45eb9a051497caa6d37b8afffa526de8b48c5c2fa2826971cedce3282f
Opcode Fuzzy Hash: 7bf08348f87ddb4b5fbc2a7f720ccc9c15cdf96666286bfab32ed16a51f08b5a
Instruction Fuzzy Hash: 672128B5900359DFDB10CFAAC985BDEBBF5FF48310F10882AE959A7240D7789540CBA4

Function 073EB560 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073EB5E6

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 22fb585f4ef54cef47868f3ff93a084e0346776cabd885455caaa9cb1f1c850a
Instruction ID: 5b351320ce00266b47480f10b8c036b338c25ea2bce29b770793bcd1b2ade1f4
Opcode Fuzzy Hash: 22fb585f4ef54cef47868f3ff93a084e0346776cabd885455caaa9cb1f1c850a
Instruction Fuzzy Hash: E2213BB19003099FDB14DFAAC485BEEFBF4EF48310F14842AD519A7641CB789945CFA5

Function 0177B770 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0177D626,?,?,?,?,?), ref: 0177D6E7

Memory Dump Source

Source File: 00000000.00000002.1308967620.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 83c823a9c4a9aab88469fe3023b142ea1f80ca2b7ae6c45511c5cb6c87719f4f
Instruction ID: e63f364f114835447ec2ef57cd5466a65fbc5041592ec289c83a1da003a6a3ca
Opcode Fuzzy Hash: 83c823a9c4a9aab88469fe3023b142ea1f80ca2b7ae6c45511c5cb6c87719f4f
Instruction Fuzzy Hash: F421D4B5900248EFDB10CF9AD584ADEFBF4EB48350F14841AE918A7350D375A940CFA5

Function 0177D658 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0177D626,?,?,?,?,?), ref: 0177D6E7

Memory Dump Source

Source File: 00000000.00000002.1308967620.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4a142e83199b3b2e3308e1d678c147f2603ba8f1135ccfd73baae6133e149aa8
Instruction ID: 601dd3ecf510513191192d0b4b7b7a78402e6b013282a73b0fdd3445d4fdc615
Opcode Fuzzy Hash: 4a142e83199b3b2e3308e1d678c147f2603ba8f1135ccfd73baae6133e149aa8
Instruction Fuzzy Hash: 1621D4B5900248EFDB20CF9AD984ADEFBF4FB48350F14841AE918A7350D379A941CF65

Function 073EB568 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073EB5E6

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 03dcebf67675c36bf9a5cb19acbe22fa4fbd49b3863ac9d7346490b572c6b19c
Instruction ID: 44c7c1b52c9fe3a030bb436c324426634ca1a23723df4cce7c6345f81f433755
Opcode Fuzzy Hash: 03dcebf67675c36bf9a5cb19acbe22fa4fbd49b3863ac9d7346490b572c6b19c
Instruction Fuzzy Hash: BF2125B1D003099FEB14DFAAC484BAEFBF4AF48310F14842AD419A7280CB789944CFA5

Function 073EBC28 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073EBCA8

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 93820be38dd51cdf88ac0c661c92125315af6a663a9f79377d2eea0f2096d296
Instruction ID: 1d1d20138724ad18625e0d93e3f364d9a1a1ece4fe443f42a82e21fd57deb900
Opcode Fuzzy Hash: 93820be38dd51cdf88ac0c661c92125315af6a663a9f79377d2eea0f2096d296
Instruction Fuzzy Hash: EF2107B18003599FDB10DFAAC984BDEFBF5FF48310F10842AE559A7240C77995409BA5

Function 073EBA71 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073EBAE6

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8f267fbe46aaedc7742ea877356ffb5132f507b360e1879bf1e99cdb73e51737
Instruction ID: 7e2355f57082b7bffc94e24275b90752ba42ba8b1b4b8dd5a8bca85cd66c5fbe
Opcode Fuzzy Hash: 8f267fbe46aaedc7742ea877356ffb5132f507b360e1879bf1e99cdb73e51737
Instruction Fuzzy Hash: 801147B68002499FDB25DFAAC844BEEBBF5EF88310F10881AE519A7650CB759540CFA1

Function 073EB4B1 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073EB51A

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3c62f4286a93245871bc4a9207aebc69cfbe74ce91e6c77ab53d42faf0c2dd78
Instruction ID: 8af12eaee9b019207f708272c8722396b59cd514f6f2f81f55b41749485fad2e
Opcode Fuzzy Hash: 3c62f4286a93245871bc4a9207aebc69cfbe74ce91e6c77ab53d42faf0c2dd78
Instruction Fuzzy Hash: F9117CB5C003488FDB20DFAAC4447DEFBF4EB88310F148419D519A7740CA75A940CFA5

Function 073EBA78 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073EBAE6

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b21a94ead42f06b8347d2fd977401ae9ce2f0b895cf31f13e38ad631dcde9696
Instruction ID: 5818d516f8a092407fc699b9b3f95f76815a504e624c556905490c0fb9de4927
Opcode Fuzzy Hash: b21a94ead42f06b8347d2fd977401ae9ce2f0b895cf31f13e38ad631dcde9696
Instruction Fuzzy Hash: 961126B68003499FDB25DFAAC844BDFFBF5EF88310F14881AE519A7250CB759540CBA5

Function 073EE039 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073EE09D

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5d21202d19fb59f6f4b9c1699857af53c8ef82b87a5d41b6450aa87c992aea86
Instruction ID: 3c12c33698c020ab68bbadd19a9c93024a29cb6ebc1608dbeea9f7c7e3f1f35a
Opcode Fuzzy Hash: 5d21202d19fb59f6f4b9c1699857af53c8ef82b87a5d41b6450aa87c992aea86
Instruction Fuzzy Hash: 3111E9B58002499FEB10DF9AD545BDEBBF8EB48310F108419D555A7640C375A544CFA1

Function 073EB4B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 073EB51A

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9e04ffb39fb0dbed668cd829f26d631ad0560775daaa98d57dfc49effe630298
Instruction ID: 6d8f2809327c1e8304bbab824bc00e05379e4e275896ca55609ddc9b82599404
Opcode Fuzzy Hash: 9e04ffb39fb0dbed668cd829f26d631ad0560775daaa98d57dfc49effe630298
Instruction Fuzzy Hash: 711128B1D003598FDB24DFAAC444BDEFBF4EB88310F14841AD519A7340CA79A940CFA5

Function 0177AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0177AFDE

Memory Dump Source

Source File: 00000000.00000002.1308967620.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 259d07928bf4c227e49a8a8ce8f76725ef2787946729cebe7e07aca922ebcfca
Instruction ID: c4f8c48ddad41d6ba01df2efbfff4fe3f8bde0a89634ae1387ead4b84c9c6796
Opcode Fuzzy Hash: 259d07928bf4c227e49a8a8ce8f76725ef2787946729cebe7e07aca922ebcfca
Instruction Fuzzy Hash: CC110FB6C006498FEB20CF9AC444BDEFBF4EB88214F14842AD429A7640C379A545CFA1

Function 073E8710 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 073EE09D

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f883c7311e02a984430671ec243083aa90101bbd5f9b34d01d33716740cbb954
Instruction ID: 2eef585d93c0ae75efaecbed01142a66245d6d5df16e7bb2cde5ad3a13e7be46
Opcode Fuzzy Hash: f883c7311e02a984430671ec243083aa90101bbd5f9b34d01d33716740cbb954
Instruction Fuzzy Hash: FC11F5B5800759DFEB20DF9AD584BDEBBF8EB48310F108419E519A7341C375A944CFA6

Function 076F0530 Relevance: 1.3, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 076F0590

Memory Dump Source

Source File: 00000000.00000002.1312656506.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4e77830cd5eff6f7c1c12876f8062d18d66a9821be8d1c1bcafdbdc04df4b9ea
Instruction ID: 5510281991435256f7079ae03579d45acb3ef543dbd911dcbc156c7154024bdd
Opcode Fuzzy Hash: 4e77830cd5eff6f7c1c12876f8062d18d66a9821be8d1c1bcafdbdc04df4b9ea
Instruction Fuzzy Hash: E11158B6800249DFDB20DF9AD544BDEBBF4EB88320F20841AD559A7741D738A544CFA5

Function 076F0538 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 076F0590

Memory Dump Source

Source File: 00000000.00000002.1312656506.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_76f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ff22a51e93d7518aa83c14cf74aa4beff1b0a398ce54f446e16545d906f5659f
Instruction ID: 3668f49fdca75ce1ade0f879a4040e3971bfe7f08c1392df054b2b6f9d627b1a
Opcode Fuzzy Hash: ff22a51e93d7518aa83c14cf74aa4beff1b0a398ce54f446e16545d906f5659f
Instruction Fuzzy Hash: EF1122B6800249DFDB20DF9AC544BDEBBF4EB48320F20841AD959A7341D378A644CFA5

Function 0147D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307789926.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0433eab6d96378869ec098080b6c6bb1cfce7845ff276d8ed7d94f3ee0cc0cb7
Instruction ID: f97cda7cbcc7af37cc01068bd84cc5349ae2052f8d3b7dcecce2cdd42a0906a3
Opcode Fuzzy Hash: 0433eab6d96378869ec098080b6c6bb1cfce7845ff276d8ed7d94f3ee0cc0cb7
Instruction Fuzzy Hash: 5B210372910240EFDB15DF54D9C0B67BF65FF88318F24C56AE9090B266C336D456CAA2

Function 0147D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307789926.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d2c04d7e7465ed8554bc2aded0f5244ded4f608b71a9f8bdd478e6763701bc
Instruction ID: 01e6ebf6ed6f7638f2cc13b9bc1699b7e80183f17efe8414c7c45fbca833842d
Opcode Fuzzy Hash: 01d2c04d7e7465ed8554bc2aded0f5244ded4f608b71a9f8bdd478e6763701bc
Instruction Fuzzy Hash: 17210672910204EFDB15DF54D9C0B96BB65FF84324F20C57EE9090F266C336E456CAA2

Function 0148D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307892861.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199f4ce01d92309dbf0a3bffd71e9c11b25bd00fda68d9f42769cb9ad36de73c
Instruction ID: a1b3dce7bf0b112e8e8f4c5503adcc95d97e71902e86e7565a9e2e621fd843d6
Opcode Fuzzy Hash: 199f4ce01d92309dbf0a3bffd71e9c11b25bd00fda68d9f42769cb9ad36de73c
Instruction Fuzzy Hash: 4D2103B1904300EFDB15EF64D980B1ABB61EB85318F20C56EE90A4B3E6C336D447CA62

Function 0148D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307892861.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc670fce7041194a529ede048481d84e7fcd7ca61dedf3ae8b38c5009c012b6
Instruction ID: c26c84970211e70829060fdd408469a3f3f26f5463b685331bdbc9bbc3175c89
Opcode Fuzzy Hash: 0fc670fce7041194a529ede048481d84e7fcd7ca61dedf3ae8b38c5009c012b6
Instruction Fuzzy Hash: AC21C571905204EFDB15EF94D9C0B2ABB65FB84324F24C56EE9094B3E2C336D846CA61

Function 0148D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307892861.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a1d6b0ed9f842fdce5297e847f9f8d3c069837aee55361186af924ec1a3d05
Instruction ID: 883f8ccedefbeceeb72aa543b7ad5a3b12e6fc5efb51a7ea9954775d102e029a
Opcode Fuzzy Hash: 62a1d6b0ed9f842fdce5297e847f9f8d3c069837aee55361186af924ec1a3d05
Instruction Fuzzy Hash: 1421AF755093808FDB02CF64D590716BF71EB46214F28C5DAD8498F6A3C33A980ACB62

Function 0147D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307789926.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 0d58f4c0d8914e8fe528e04e79dd7bbbe81d4ade1dbe00f6c68ade53966c498d
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 3511C072804240DFDB16CF44D5C0B56BF61FF84324F2486AAD9090B667C33AD456CB91

Function 0147D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307789926.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: a5b33713149ccb192f4021a8a060901776417bf6d309480ef22b2cb7f339dbc2
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 2B11CD72804280DFCB16CF54D9C0B56BF61FB84324F2486AAD8490B666C336D456CBA2

Function 0148D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307892861.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: fa0e4b2b034019fbac2cf6fa97a6cc41f1a891c5f2edd0ee98b0700ff2b8fdab
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 4C11BB75904280DFDB16DF54D5C0B1AFFA1FB84324F24C6AAD8494B7A6C33AD44ACB62

Function 0147D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307789926.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588f1d3a69d672f4614dd72d7ce9c83c2cca2a51ce72353bca591f77bcf598fd
Instruction ID: 53f60d54a3d1be6c1f272a0b130908a1297f7d3a13771bf68f2df1dc4351db44
Opcode Fuzzy Hash: 588f1d3a69d672f4614dd72d7ce9c83c2cca2a51ce72353bca591f77bcf598fd
Instruction Fuzzy Hash: F601A731814380AEF7204B69CC84BA7FF98EF41660F18855BED090E396C2799445CAB2

Function 0147D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1307789926.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_147d000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9021ba09f4d5684216e2c2b25253abaca8b33c4d881c70d6e99c57290defe0ad
Instruction ID: 7be23cd39a1e1a2a3ade77e1ce9cac2fdeecf42da39bde2db71bf1f1de9f7a7c
Opcode Fuzzy Hash: 9021ba09f4d5684216e2c2b25253abaca8b33c4d881c70d6e99c57290defe0ad
Instruction Fuzzy Hash: 00F06271405384AEE7208B1ADD84BA3FFA8EF81664F18C55BED484F397C2799844CAB1

Non-executed Functions

Function 073EB640 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

{.01, xrefs: 073EB69B

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: {.01
API String ID: 0-556901794
Opcode ID: fd0008b9f8ddfdda20e32062ae6ae5279fb67e7325136c8d563b007f27fd81ef
Instruction ID: 2b2e1e429cf258e1c908b01f42b69e30ca809be4900f7ba35d186901110e6f82
Opcode Fuzzy Hash: fd0008b9f8ddfdda20e32062ae6ae5279fb67e7325136c8d563b007f27fd81ef
Instruction Fuzzy Hash: 32E11AB4E002198FDB15CFA9C580AAEFBB6FF49304F24816AD858AB355D7349D42CF61

Function 073E99E0 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb609d9e94e22106837d99aa311ef6db5fe1f47832dc4a84cfdff89a269da56
Instruction ID: 194f983612919e685036d8f2aa1ff6e36633a9ceb8fbe81b55ad764d21b46a0c
Opcode Fuzzy Hash: 7bb609d9e94e22106837d99aa311ef6db5fe1f47832dc4a84cfdff89a269da56
Instruction Fuzzy Hash: C8E11EB4E102198FDB14CF99C580AAEFBB6FF49304F24816AD858AB355D734AD41CF61

Function 073E95B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc29cc73d04f69b4e94f6ceb5517edff874dddc49c81bf4cdac5605c156b243
Instruction ID: 91872425015085e0f1809d45f91ea00189c0ec8089c89968ead5faeeb13f623a
Opcode Fuzzy Hash: afc29cc73d04f69b4e94f6ceb5517edff874dddc49c81bf4cdac5605c156b243
Instruction Fuzzy Hash: 49E1FCB4E002198FDB14CFA9C580AAEFBB6FF89305F24816AD458AB355D734AD41CF61

Function 073E9180 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2757c4107f07b6e463bbce940455d570f000f2b6caaec81c14aed5935c64fd
Instruction ID: 462bf31eccde75ec9c32a05f4f6a8eab52b3a6404863fea695eaef2c948d212d
Opcode Fuzzy Hash: bc2757c4107f07b6e463bbce940455d570f000f2b6caaec81c14aed5935c64fd
Instruction Fuzzy Hash: BAE11CB4E002298FDB14CF99C580AAEFBB6FF49304F24816AD858AB355D735AD41CF61

Function 073EAC90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f4fdf50521fd56765f43c6e30c1568d3eb83bd5a8e3b53f7089dee740862bd
Instruction ID: a0c3e0200f1246712552ca2d60ce6dbfc5daafb89697c07e9dc271e96298ccf3
Opcode Fuzzy Hash: d8f4fdf50521fd56765f43c6e30c1568d3eb83bd5a8e3b53f7089dee740862bd
Instruction Fuzzy Hash: D8E1D9B4E002198FDB14CF99C580AAEFBB6FB89305F24C16AD458AB355D734AD42CF61

Function 073E0550 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd1b3af2a096e7f82645fbfeb50041f71db5be94bb5a177f7b1fd762fa5c526
Instruction ID: e96b1fcf0f4a775e3e0f725571578019aa5ddc22afae03c526a21c2c4bd52be8
Opcode Fuzzy Hash: afd1b3af2a096e7f82645fbfeb50041f71db5be94bb5a177f7b1fd762fa5c526
Instruction Fuzzy Hash: 09D1D235C2065A8ACB11EFA4D9906D9F771FFA9200F109B9AE4493B210FF746AD5CF81

Function 0177D344 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1308967620.0000000001770000.00000040.00000800.00020000.00000000.sdmp, Offset: 01770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1770000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b70aa3a5ac96c0db7b790a046f21003f3f76d0d479f23e9e84c811e24902e0f
Instruction ID: e5e516bfb762c7b2d5639dd2cb4c70ad85ae28ad119ac787ef3645f2ff2cf9b0
Opcode Fuzzy Hash: 9b70aa3a5ac96c0db7b790a046f21003f3f76d0d479f23e9e84c811e24902e0f
Instruction Fuzzy Hash: A2A16D32E0021ACFCF16DFB4C94459EFBB2FF85300B15856AE915AB265DB71E906CB50

Function 073E0560 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3630cad7ec78cd74d6c151ed947abfa282d605f51da6beb00f20df7d7667ab0
Instruction ID: 367b751e4fd431b04a68f1fd1f89f55c8617531bde038b2e93e4ed7c16d7dde1
Opcode Fuzzy Hash: f3630cad7ec78cd74d6c151ed947abfa282d605f51da6beb00f20df7d7667ab0
Instruction Fuzzy Hash: 07D1C135C2065A8ACB11EFA4D9906D9F771FFA9200F109B9AE5493B210FF746AC5CF81

Function 073ECF28 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1312394617.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c480f277678e0f9a4a01eba5699da8763ad59dea1d8b63a66f3d4f7f208396c5
Instruction ID: 9e9530016b03a3a89d09767de09da3267b921d60a1afd14c4e6f6f84604de0b7
Opcode Fuzzy Hash: c480f277678e0f9a4a01eba5699da8763ad59dea1d8b63a66f3d4f7f208396c5
Instruction Fuzzy Hash: 0331C9B1E196688BEB18CF6B88043D9FAFAAFC9304F04D1AAC40C66255DB740986CF51

Analysis Process: Orden de compra HO-PO-376-25.exePID: 6328, Parent PID: 1432COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 068F2398 Relevance: 9.0, Strings: 6, Instructions: 1481COMMON

Download Yara Rule

Strings

$q, xrefs: 068F37AC
$q, xrefs: 068F37A0
$q, xrefs: 068F37C4
$q, xrefs: 068F3783
$q, xrefs: 068F3777
$q, xrefs: 068F37D0

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 4800270db99881eb8146781a417a70caa2dc4810b98fd474774e1e1740581481
Instruction ID: 33361b0100ddc62257d32de8e0893ea9f64cb9a76d9caf45a38c1875142a9b8c
Opcode Fuzzy Hash: 4800270db99881eb8146781a417a70caa2dc4810b98fd474774e1e1740581481
Instruction Fuzzy Hash: 52D25B34E10204CFDB64DFA8C594A9DB7B2FF89310F548569E609EB265EB74ED81CB80

Function 068FB220 Relevance: 8.3, Strings: 6, Instructions: 764COMMON

Download Yara Rule

Strings

$q, xrefs: 068FBB8F
$q, xrefs: 068FBB9B
$q, xrefs: 068FBBCF
$q, xrefs: 068FBB5B
$q, xrefs: 068FBB67
$q, xrefs: 068FBBC3

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 0f452f2e14c15aaa12b04dfb78b14eb0655bf0979dc3ff631b4795887d11c784
Instruction ID: d00987009d024f8bab7c8eb7030ee5c39c155052ce95bc3000b31f1d2ba5135f
Opcode Fuzzy Hash: 0f452f2e14c15aaa12b04dfb78b14eb0655bf0979dc3ff631b4795887d11c784
Instruction Fuzzy Hash: FC526230F202098FEF64DB68D5907AEB7B2EB49310F24852AE615EB355DB35DC81CB91

Function 068F7D60 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 068F809D
$q, xrefs: 068F80A9

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: ba1aec0afe42f3d3f21f22105bd6b609e36599a7a70869c2154a739d3b1c4b43
Instruction ID: ac80634b855f3ca08cefe3f316c228eb71a7ef5cf31fd696db9b7dd9d85b2b01
Opcode Fuzzy Hash: ba1aec0afe42f3d3f21f22105bd6b609e36599a7a70869c2154a739d3b1c4b43
Instruction Fuzzy Hash: FD028C30B112058FDB54DB68D990BAEBBF2EF84310F148529E615EB395DB75EC42CB90

Function 068F65D0 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5294cf63fc8d0c03f8076e4343aede8711d45f1d62704ce00bc35ffa9e2c42eb
Instruction ID: 05d6b80f052cba4e3ec83fd35f89b4c8dee34595c70fed111e360ab2835c1a24
Opcode Fuzzy Hash: 5294cf63fc8d0c03f8076e4343aede8711d45f1d62704ce00bc35ffa9e2c42eb
Instruction Fuzzy Hash: 8E629E34B102048FDB54DB68D594BADB7F2EF88314F148669E605EB395EB35EC82CB90

Function 068F55C0 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd720c6f8244d3ccde5ecd4980532653858145c2691ddb48b27f866011a4427
Instruction ID: 69e7ee4e52c11b23e73a1832059a7688f9b241eafb16da00262c668afa2c9e47
Opcode Fuzzy Hash: bfd720c6f8244d3ccde5ecd4980532653858145c2691ddb48b27f866011a4427
Instruction Fuzzy Hash: BA12E671F202149FDF64DB68D8807AEBBB2EB95310F248429EA56DB345DB34DC41CB91

Function 068FACB8 Relevance: 12.9, Strings: 10, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 068FAE5B
$q, xrefs: 068FADD9
$q, xrefs: 068FAE67
XM, xrefs: 068FB077
XM, xrefs: 068FB158
$q, xrefs: 068FADE5
$q, xrefs: 068FAE2C
$q, xrefs: 068FAE38
$q, xrefs: 068FAE84
$q, xrefs: 068FAE90

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: XM$XM$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-4055301323
Opcode ID: ab65535c8316ed9751b3cefe42c313ee65aafa242a9781866105a72f8bf4733e
Instruction ID: 5e83176570ab17c7d515740c54c48e49b8d14599ef148cf742496601db9cc48e
Opcode Fuzzy Hash: ab65535c8316ed9751b3cefe42c313ee65aafa242a9781866105a72f8bf4733e
Instruction Fuzzy Hash: E1E15034E20309CFDB69DB69D4906AEB7B6EF85310F108529EA19EB344DB31DC42CB91

Function 068F9138 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 068F91BA
$q, xrefs: 068F91C6
$q, xrefs: 068F918B
$q, xrefs: 068F917F

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 8f844e303fb74445c76bb27c8a8991d30c16da18c0de20faf10f0420314f1926
Instruction ID: 399c75ed1d2c6d48616493d6cdeb4092221733e76cb07390637d52c3c91de655
Opcode Fuzzy Hash: 8f844e303fb74445c76bb27c8a8991d30c16da18c0de20faf10f0420314f1926
Instruction Fuzzy Hash: E3914130B102198FDB54EF79D850BAE77F2AF88300F108569D909EB348EE75ED568B91

Function 068FCF30 Relevance: 4.5, Strings: 3, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 068FD33B
$q, xrefs: 068FD32F
$q, xrefs: 068FD327

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q
API String ID: 0-3067366958
Opcode ID: cd8bb7c750f47284f30dc00a7a3cdb2cd71952ded2a0e8ef8b9d977b01da1b5d
Instruction ID: 1e70a6b43cc946888db108d21e5dec684f847b97d4edc6ef5776c7ec3fe2df7a
Opcode Fuzzy Hash: cd8bb7c750f47284f30dc00a7a3cdb2cd71952ded2a0e8ef8b9d977b01da1b5d
Instruction Fuzzy Hash: 95624A34A102098FCB65EB78D590A9DB7F2FF84340B248A68E515DF359EB71EC46CB81

Function 068F4B88 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPq, xrefs: 068F4CB5
fq, xrefs: 068F5295
\Oq, xrefs: 068F4D3F

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: fq$XPq$\Oq
API String ID: 0-132346853
Opcode ID: 97ffa26e4eeac0baccd455d1145cbe0383ae3cb71d264d483ab6a898980d546c
Instruction ID: 5a5e279dcf946a97226131dc2d0a80b92fec0ef087868318def6fe95deb8627f
Opcode Fuzzy Hash: 97ffa26e4eeac0baccd455d1145cbe0383ae3cb71d264d483ab6a898980d546c
Instruction Fuzzy Hash: CC617430E102089FEF549FB9C8557AEBAF6EF88300F208429E505EB395DF758D458B91

Function 068F9128 Relevance: 2.7, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 068F91BA
$q, xrefs: 068F917F

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: e34c19b4ebda2cd6035f3dffe7112bf4764d0b6d0df238fc8ec07469f841bf1d
Instruction ID: 2cde195a7af4e5ed5bb02add5b1a02b4efc4db28cf06fd287bde4b9821e7f694
Opcode Fuzzy Hash: e34c19b4ebda2cd6035f3dffe7112bf4764d0b6d0df238fc8ec07469f841bf1d
Instruction Fuzzy Hash: FD514030B102188FDB54EF79D851B6E77F6AF88340F108469DA09EB348EA35EC52CB91

Function 0129EA34 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 0129EABF

Memory Dump Source

Source File: 00000003.00000002.3749546958.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1290000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a9fcd423a564c1dbf2c2c3c9bcc0572aa8fc00c4c06475fcc17640a784a878fd
Instruction ID: 33074da47c464190b68a3c067d197364d8bbdf401feab8f9b740b5f4ca11b9d1
Opcode Fuzzy Hash: a9fcd423a564c1dbf2c2c3c9bcc0572aa8fc00c4c06475fcc17640a784a878fd
Instruction Fuzzy Hash: A72163B5C0025ADFDB10CFAAD5057DEBBF4BF08220F15852AD958A7250D738A945CFA1

Function 0129EA58 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 0129EABF

Memory Dump Source

Source File: 00000003.00000002.3749546958.0000000001290000.00000040.00000800.00020000.00000000.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1290000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 191c8af779301ee980e8877a11aaf4a56d796fed19ec561620c1daeff1ee8412
Instruction ID: b0e6435a41b05ccb2e63f0de0f3aafac060941ae5797db52a4eff8b64ee96a18
Opcode Fuzzy Hash: 191c8af779301ee980e8877a11aaf4a56d796fed19ec561620c1daeff1ee8412
Instruction Fuzzy Hash: 63110DB2C0065A9BDB10CF9AC444BDEFBF4BB48220F15852AE918A7640D778A9448FA5

Function 068F4B78 Relevance: 1.4, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPq, xrefs: 068F4CB5

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: XPq
API String ID: 0-1601936878
Opcode ID: 7a59961e1306d4010299615efb90c2ebade090deb0e89145f92c6fa6e2a5ded9
Instruction ID: 8878b4f30144d062b7a6f2e51a6ff7126cef17f90e279d8412fd8849406b9da4
Opcode Fuzzy Hash: 7a59961e1306d4010299615efb90c2ebade090deb0e89145f92c6fa6e2a5ded9
Instruction Fuzzy Hash: CC417D30E102089FEB559FB9C815B9EBBF2FF88300F20852AE105EB395DE758C018B90

Function 068FDAB8 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 068FDC01

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: daf09739e91e55ba6fcf2bd9b748949cca3681efe98028e2329473e2baf4e054
Instruction ID: 0e9053291efe1123c23359e1b33b25f5055760de86e1d755c60d024f89a31051
Opcode Fuzzy Hash: daf09739e91e55ba6fcf2bd9b748949cca3681efe98028e2329473e2baf4e054
Instruction Fuzzy Hash: 0D416030E102499FDB64DF75C5957AEBBB2FF85304F204929E606EB340DB71A846CB91

Function 068FDAA5 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PHq, xrefs: 068FDC01

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 718ee5dc68f1c5dd5d99505fe0e6f1a10a0c2570a98df95914f1c4cc30208d78
Instruction ID: 9186cd0e7d0d58b66c97b74ed29f16df3d657bd24e4720c78dba7a5a982a5f06
Opcode Fuzzy Hash: 718ee5dc68f1c5dd5d99505fe0e6f1a10a0c2570a98df95914f1c4cc30208d78
Instruction Fuzzy Hash: 56419F70E102499FDB65DF75C9956AEBBB2FF85300F144929E602EB240EB71E846CB81

Function 068F21FD Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

PHq, xrefs: 068F234B

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 33f482c8d27eead405326ce546f5dc723f8c47eac87f52e5dee81c61b3d63f90
Instruction ID: 5642a377b7600c8f72d9a97926211a5f3ae002c76f7520aac3e4d77228620822
Opcode Fuzzy Hash: 33f482c8d27eead405326ce546f5dc723f8c47eac87f52e5dee81c61b3d63f90
Instruction Fuzzy Hash: 43314630B103048FDB54ABB8D46576E7BA2AB88300F14846DE502EB395DF36DE46CBD5

Function 068F2210 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHq, xrefs: 068F234B

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: b39e0daa4077b99297b144ae0213f9d527426a2fd7c8c44aed3fe50c196919a5
Instruction ID: b872434512dfb8c25bb283cbee68be4929662562b688180248c87e13191dcd2c
Opcode Fuzzy Hash: b39e0daa4077b99297b144ae0213f9d527426a2fd7c8c44aed3fe50c196919a5
Instruction Fuzzy Hash: 9031E430B102048FDB58ABB9D56476E7BE2AB88300F14842CE506EB394DF36DE46C7D5

Function 068FC168 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78efbb839c07896f399067622b9e7579cfffa353a547d62d69faf51d3bcc6a4
Instruction ID: 7c74414985fe92a605e9ee1d0c874b6092b8fbdedd51b12c513acae3e1cced83
Opcode Fuzzy Hash: e78efbb839c07896f399067622b9e7579cfffa353a547d62d69faf51d3bcc6a4
Instruction Fuzzy Hash: 35326134B112098FDB65DF68D890BAEB7B2FB88310F108529E605EB355DB35ED42CB91

Function 068FB21B Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6babebf81f383f2a956e668eaf14fae2f7080052319ae1c3c47ec9a7ed789e89
Instruction ID: 7a6676d710a3ba18b8f3445808eb1e1b2eed7e04c7267b00afa8f05063fc669c
Opcode Fuzzy Hash: 6babebf81f383f2a956e668eaf14fae2f7080052319ae1c3c47ec9a7ed789e89
Instruction Fuzzy Hash: 3FA17774F202084FEF64DBADD590BAE77E6EB89310F248429F605E7385CA35DC828B51

Function 068F61C8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e262953a64b5854311b892d0f428d859c03cae3184acac711f74a33751b0d3a
Instruction ID: 17c4baee74a558855d80100bcd309de069a59c9e061b403e5228a6a1e7e9be29
Opcode Fuzzy Hash: 5e262953a64b5854311b892d0f428d859c03cae3184acac711f74a33751b0d3a
Instruction Fuzzy Hash: E561F371F002104BDF509B7EC8846AEBAD7EFC8220B254539E90ADB368EE75DD4287C1

Function 068F42B9 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e900cd9fbe9911f0274c8640b5fee532a588fc374489fb46d654c2f157efa1c7
Instruction ID: 45863053d012b4e8839f81df42971370f9839e57525d329d7441b76e6f0748a0
Opcode Fuzzy Hash: e900cd9fbe9911f0274c8640b5fee532a588fc374489fb46d654c2f157efa1c7
Instruction Fuzzy Hash: 55812D34B112098BDF54DFB9D4547AEBBF2AF89300F108529E50AEB749EE74DC428791

Function 068F45D8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42714c65fe1b369fbea02c49c558170edab4ab11db5d84c399db3272fc4de4f7
Instruction ID: 48e0c55bbc053bd7ab61ec4d5c7fddcc933f22daa33d7aae4876df6a952c5cb4
Opcode Fuzzy Hash: 42714c65fe1b369fbea02c49c558170edab4ab11db5d84c399db3272fc4de4f7
Instruction Fuzzy Hash: 35915E34E102198BDF60CF68C850B9DB7B1FF89310F20869AD549FB295DB71AA85CF91

Function 068F42C8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df893f748494809831f607e00f39a88fb50debbdaade9567fbe0187c6537e77c
Instruction ID: 3180cbc4f69cd28403257684023722d2d00d25cdb3bb0d9f808ebfb6f4a08186
Opcode Fuzzy Hash: df893f748494809831f607e00f39a88fb50debbdaade9567fbe0187c6537e77c
Instruction Fuzzy Hash: A6812D34B112098BDF54DFB9D4547AEBBF2AF88300F108529E90AEB749EE74DC428791

Function 068F45F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb11e51452bf5ddf52b3ba654642ed13ebc5bd752384b6aadf01959da36678f5
Instruction ID: 80393a9ec6950b532ba5ebf99e22d2e5a58822156baebe2d8859b803523d50c3
Opcode Fuzzy Hash: cb11e51452bf5ddf52b3ba654642ed13ebc5bd752384b6aadf01959da36678f5
Instruction Fuzzy Hash: 1F913D34E102198BDF60DF68C890B9DB7B1FF89310F208699D549BB355DB71AA85CF90

Function 068FEB08 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b9d7334c77fbc28c693357f798422dc84cc0d26fb0909ccb6904023c171c99
Instruction ID: bf1615b68a64e681b4cf0b3d04fa5b077717bbe6ccc96db6ae4a6c020afe2d09
Opcode Fuzzy Hash: a4b9d7334c77fbc28c693357f798422dc84cc0d26fb0909ccb6904023c171c99
Instruction Fuzzy Hash: 94715B30A102089FDB54DFA9C984AADBBF6FF88300F248429E505EB365DB30ED46CB51

Function 068FEB18 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa6284c2751beb76b9baf67db982223989657c9425350b7d7f73ba3a868d693
Instruction ID: 2b94809f437eaa9d1d72ac7bcf691d7c15b361422d1b9ee1df56bc6101533246
Opcode Fuzzy Hash: 0fa6284c2751beb76b9baf67db982223989657c9425350b7d7f73ba3a868d693
Instruction Fuzzy Hash: 61713D30A102089FDB54DFA9D984AAEBBF6FF84310F248429E505EB365DB30ED46CB51

Function 068FFBA8 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b7e1ec1f472a4f69afde598704dcbcd5e4eef51cebbe30fae3862c855f5319
Instruction ID: b16402a5fbde19cf13e6fac1caee1156a128601afcb288eb671b21833a7e2408
Opcode Fuzzy Hash: f5b7e1ec1f472a4f69afde598704dcbcd5e4eef51cebbe30fae3862c855f5319
Instruction Fuzzy Hash: C751D135E10219CFDB54AFB8E4947ADBBB2FF84311F208869E706EB254DB358855CB80

Function 068FF959 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660d47375d556c821f77de7055b2cfc3868f6ecb5501441333c6f1448010928f
Instruction ID: 67663b700d9a9f2d5a46b391ad8061b3b32891dcd439579afe28e4332f92698d
Opcode Fuzzy Hash: 660d47375d556c821f77de7055b2cfc3868f6ecb5501441333c6f1448010928f
Instruction Fuzzy Hash: 79516870F203149FEFB46B7CD85476E269AD78A350F20452AE70BD7395CA79CC8187A1

Function 068FF968 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08328e3909b815829b28f01b89a5bced155d59d920b90d658de590e78e42452
Instruction ID: 23e2da67048edecc70ee5c9bd2a9158c8f97f54f51e747fbb4ab3728ed8cf9d1
Opcode Fuzzy Hash: f08328e3909b815829b28f01b89a5bced155d59d920b90d658de590e78e42452
Instruction Fuzzy Hash: 0C516370F202149BEFB46BBCD85476F269AD789750F204529E70BD7394CA79CC8287A2

Function 068F5440 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e69060ad20fa9dc0276dee405fb00714f815609849ccfddd16ccbc0596fcb9
Instruction ID: bfdcfb0ed91e095ad8c3f55e4d12ee91ab42016d87bf8b834d698750653ab941
Opcode Fuzzy Hash: f8e69060ad20fa9dc0276dee405fb00714f815609849ccfddd16ccbc0596fcb9
Instruction Fuzzy Hash: 7B414F71E106098FDF70CFA9D881BAFF7B2EB69310F10492AE315D7650D630E9558B92

Function 068FD958 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197fbe2573dc334ca38c3562cc4b256a84b592aa62a8a62253abec3fcb8ae426
Instruction ID: cb356ac15c8dddcbcc7351346ad7890e561d220b3ce621125e62831961ce8436
Opcode Fuzzy Hash: 197fbe2573dc334ca38c3562cc4b256a84b592aa62a8a62253abec3fcb8ae426
Instruction Fuzzy Hash: CF317235E2030A8BDB25DFB8D59079DBBF2EF45300F148929E601EB345EB70A946CB51

Function 068F20C0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3219a551d9a4dae78543a3a28f79514c358e6e19211c228f4b9efaadb38dcad
Instruction ID: f9f9bf49bf3a332d6246f5388f875c585c13b02cf311e763a4597176e4245e49
Opcode Fuzzy Hash: c3219a551d9a4dae78543a3a28f79514c358e6e19211c228f4b9efaadb38dcad
Instruction Fuzzy Hash: EF317434F216099BCB55CFA4D86579EBBB2BF89300F108929EA05EB344DB71ED46CB50

Function 068F20D0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80cf75dd593a663b9d4510ec1fa5b55e9b3860d31d6eab682c6f321361b4ee41
Instruction ID: 7ba0dfcac8d899034492f0f95c3d892a25120422dc50e12bd71dd68943af9fae
Opcode Fuzzy Hash: 80cf75dd593a663b9d4510ec1fa5b55e9b3860d31d6eab682c6f321361b4ee41
Instruction Fuzzy Hash: C2315034F106099BCB55CFA4D96569EBBB2BF89300F108919EA05EB354EB71ED42CB50

Function 068F3AB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d1d61a4a0f39f100e711d3beab5e4ed7d317f252f1a3e6ed4a351550d10509
Instruction ID: 614a10387015a38cb89c6f89185c4be83d7d87fff98aff1647401a7cadf0d93d
Opcode Fuzzy Hash: 26d1d61a4a0f39f100e711d3beab5e4ed7d317f252f1a3e6ed4a351550d10509
Instruction Fuzzy Hash: 4C218975E11618AFDB40CFADD940BAEBBF5AB48310F148069EA04E7394E731DC418BE0

Function 068F3AC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e91b5b9bc6df6b8954f0052451784e398a1a7efd281a37293cc1ca39bb81da
Instruction ID: db3aa9139a6adfcdec0eb2b8a6b9645eee11837525d596ed7cd969a4eb5337da
Opcode Fuzzy Hash: 95e91b5b9bc6df6b8954f0052451784e398a1a7efd281a37293cc1ca39bb81da
Instruction Fuzzy Hash: 5C218675E116189FDB40DFA9D880BAEBBF1EB48310F108069EA05E7384E730DC418BA0

Function 00EDD1F8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3748799176.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60600915e4c97e4b3f1ab395e6ab61ebab70f78887a5d22a23112928dc6d87a
Instruction ID: 3118a8034251f78e48b95b3f1f090e883e514fba9ece924d4510c31da84872b0
Opcode Fuzzy Hash: f60600915e4c97e4b3f1ab395e6ab61ebab70f78887a5d22a23112928dc6d87a
Instruction Fuzzy Hash: 232104B1508200EFDB14DF14D984B26BB65FB84328F20C56AE8091B3A6C336D807CAA2

Function 00EDD3A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3748799176.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86801c2cd929f8ab62f44981126af78d88a8bd50437da96f237a1635c9ef1bd
Instruction ID: 2b15b3e682769abf6cac26879b9841b1ccad571a7c10f04f13265ff8ded9186e
Opcode Fuzzy Hash: d86801c2cd929f8ab62f44981126af78d88a8bd50437da96f237a1635c9ef1bd
Instruction Fuzzy Hash: C221D0B1608204EFDB14DF24D9C0B26BB65EB84318F24C56EE9095B396C376E847CA62

Function 00EDD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3748799176.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c671dfe3765e602950fbce8d57289ad2bf4503f7f853b3f1adb1c18ca5152c5
Instruction ID: 21a07b11ac487f11aad96ef0b4688be36dc58ac40de3529b38cb58f7cb7c3ded
Opcode Fuzzy Hash: 1c671dfe3765e602950fbce8d57289ad2bf4503f7f853b3f1adb1c18ca5152c5
Instruction Fuzzy Hash: 8C21B371508244DFDB14DF14DD80B26BB66EB84318F24C56EE9095B396C376D847CA62

Function 00EDD005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3748799176.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b59de79d798579520950ef4bc7c78c06a29587e43822d7581e4a0d082975402
Instruction ID: 649d26f9910d46e04cc0ca24e8b1d7377814403c2709bca96dc1794bf3cde2f0
Opcode Fuzzy Hash: 3b59de79d798579520950ef4bc7c78c06a29587e43822d7581e4a0d082975402
Instruction Fuzzy Hash: 29216B7150D3C09FCB03CB24D990711BF71EB46214F2985EBD8898F6A3C33A980ACB62

Function 068F6CF8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc69002317d90453b85866f10116b5c993718775987cea58050a3e744724d97
Instruction ID: 569dd1933390872fb6554589e235f778a0352e89f949e5ac59ae45aeb5b262bb
Opcode Fuzzy Hash: cfc69002317d90453b85866f10116b5c993718775987cea58050a3e744724d97
Instruction Fuzzy Hash: 7521E730F201088BDF94EB69E95479DB7B6EF84350F208525E605E7384EB32DC41C790

Function 068F3078 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cddc8d081c6d9e51a94c5737ff38b0e845eec09bd501042ef41eacfe82f243d9
Instruction ID: 26ff9ea197b6b7e1b7e3ef5c12dae183c58dc7c92710ae502427c6f6f764f93c
Opcode Fuzzy Hash: cddc8d081c6d9e51a94c5737ff38b0e845eec09bd501042ef41eacfe82f243d9
Instruction Fuzzy Hash: 39116071E102189BCF64DB79D8416EEF7B5EB89310F148569E60AEB340EA31DA81CBD1

Function 068F3BD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984e9f89beaf6de18a0dad3e6b5419dd2a5ee5a48e711dd7fbf44cf8c473d471
Instruction ID: 6235d0f6eb0ac6fd77d25232b7b90450debe4937dcf3920b5bc4cfaac8213e47
Opcode Fuzzy Hash: 984e9f89beaf6de18a0dad3e6b5419dd2a5ee5a48e711dd7fbf44cf8c473d471
Instruction Fuzzy Hash: 83118E31B202284FCB949A7DC8256AE77EAEBC8350F108439D506E7348EE74DC0287D0

Function 068F4218 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ed9e35f50d75717849a9831fbf61b4a8520037314438e6e51b97602a8d4c68
Instruction ID: 9646ed3d1208df0594fd974f95036513dd8f7665d7feb58bbfb2a5c454c0e236
Opcode Fuzzy Hash: 32ed9e35f50d75717849a9831fbf61b4a8520037314438e6e51b97602a8d4c68
Instruction Fuzzy Hash: E801B535B201114BDB6596BC955572FA7EBDBC9210F24883AE70AC7385ED66CC024391

Function 068FED89 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdf6d593dc721a49913253e6a23e1d4f21793fbe186e3a58c65e059b18028e0
Instruction ID: 968383dfa38eb29517ea4795b90a368a9366be792ed5e7e8c14f7533033352e6
Opcode Fuzzy Hash: ffdf6d593dc721a49913253e6a23e1d4f21793fbe186e3a58c65e059b18028e0
Instruction Fuzzy Hash: 88017535B101145FDB659B6C9458B6E77D6EBC9710F108879E30ACB351EE65DD028381

Function 00EDD1F3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3748799176.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction ID: e2cc2f7640125a3aab00fcedd16a974def1a1be5563a76c6404715eae25988aa
Opcode Fuzzy Hash: 8a37c6801951d4ba7ad7433749c44e8efe01c680cd3f8f024970093133622734
Instruction Fuzzy Hash: BD119D76508280DFDB12CF14D9C4B15FB61FB84328F24C6AAD8495B756C33AD80ACBA2

Function 00EDD3A3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3748799176.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 1365a96d1a9d5ccfca315f715523c737206652e36b385db32b46cac36dcd6b7f
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 49118EB5508240DFDB15CF10D9C4B15BB62FB84318F24C6AAD9494B796C33AE85ACB52

Function 068FA2E9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f3f780b1d73401332e62e4b6455fb7279eeb1234668fa9b0af4b761fcdfe42
Instruction ID: 8f2c4ed6289fe7ca6a4a1ed43cbb82e2b810691a57eba6650aac40727d0a6061
Opcode Fuzzy Hash: 19f3f780b1d73401332e62e4b6455fb7279eeb1234668fa9b0af4b761fcdfe42
Instruction Fuzzy Hash: 4A019234B211108FDB65AB7CD55171E7BE1EB49620F108829F64ACB395EE34EC02C781

Function 068F3898 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14d6c48cce88046b4b31b4524a22ec9e50c7176e910db3ab52e3ded2d3ecb95
Instruction ID: 3ae080d277c5e0877e3330796dffa5d14b09396ba26e697781f9af5cf22a3f90
Opcode Fuzzy Hash: f14d6c48cce88046b4b31b4524a22ec9e50c7176e910db3ab52e3ded2d3ecb95
Instruction Fuzzy Hash: CB11CFB5D01219AFDB10CF9AD884ADEFBF4FB48310F10852AEA18A7340C775A944CFA5

Function 068F4228 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caaa04476211e20b75b328c7224745bd2677a4b7040ef91b3c6dbe1fb4a9728b
Instruction ID: 7084a83d5e66e121356c98aa0bc6e5103b7fa7ff1782224af8a389b9887032b4
Opcode Fuzzy Hash: caaa04476211e20b75b328c7224745bd2677a4b7040ef91b3c6dbe1fb4a9728b
Instruction Fuzzy Hash: 8A01A235B201150BDB6596AD945472FB2DBDBCD320F20843AE70AC7385ED66DC024391

Function 068F3890 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100a07e64691c2c335bd6db3102b541e2894ad9629c245709c074aeee9ed548d
Instruction ID: df181b8c1f7c02e251abc348a321ccf154c5adebd6d3c029c05a4e70cbbc9309
Opcode Fuzzy Hash: 100a07e64691c2c335bd6db3102b541e2894ad9629c245709c074aeee9ed548d
Instruction Fuzzy Hash: 4D21EDB5D00619EFCB00CF9AD984BDEFBB4FB08210F10852AEA18A7600C374A954CFA4

Function 068F3BC7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b36c94c0fef0135d77d42a3b752b49e16d0efb9f5ec8e250f5a13c652e709a
Instruction ID: 9e334f054ee376c18b6806e9a49dc3a8a01fcb319b9e7248b6c3343a31eb9aeb
Opcode Fuzzy Hash: 32b36c94c0fef0135d77d42a3b752b49e16d0efb9f5ec8e250f5a13c652e709a
Instruction Fuzzy Hash: 7601D436B202284BCB859ABCDC253EE76EA9BC4300F15853AD605D7388EE64CC0283D0

Function 068FED98 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8074ef2fd36ef68ff3394edbfa5c769dd5dc3ac8aaa256fffee8d6a214ddd00
Instruction ID: 6b02a0bfdb553eec773fe514955067a7323b4770b4fd6e15cf3ae22851049207
Opcode Fuzzy Hash: f8074ef2fd36ef68ff3394edbfa5c769dd5dc3ac8aaa256fffee8d6a214ddd00
Instruction Fuzzy Hash: E301C835F201146BDBA5A67CA859B2F77D6EBC9720F108839F30ACB354EE65DC024381

Function 068FA2F8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1647ceadc32b0d4734ce6f6f9d5a2654beb79b3506f42660f1b24e0eaa8d8b09
Instruction ID: 2d12157dcc0a3f1c1c4abf149b26dcc8b766fd8d7ff8ce3f5c1ecf528cd4abf6
Opcode Fuzzy Hash: 1647ceadc32b0d4734ce6f6f9d5a2654beb79b3506f42660f1b24e0eaa8d8b09
Instruction Fuzzy Hash: 7C016D34B201148BDB64AB7CD851B1EB7D6EB89720F108829F60ECB344EE35EC028781

Function 068F6451 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbe98e102218f0afa2c767d2999bb3edd6ace9ffe8e96b8ab33a928758adee3
Instruction ID: 144774033ac21904241a4f25530dda2d104c587e743c51d032c5c1c94086e234
Opcode Fuzzy Hash: 1bbe98e102218f0afa2c767d2999bb3edd6ace9ffe8e96b8ab33a928758adee3
Instruction Fuzzy Hash: 24E09272D241049BDFA0DFB48A1539D77B5EF02204F2089A5C644DB141F537C9429340

Function 068F6460 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94ad7eefe596bf28aa8267fd218daa69c805cffb676c170ff98b4d6ac38a593
Instruction ID: 55b12cecc68aed61b876aa3aa338dd7ce095200482e0ae109419c1a7202321f8
Opcode Fuzzy Hash: c94ad7eefe596bf28aa8267fd218daa69c805cffb676c170ff98b4d6ac38a593
Instruction Fuzzy Hash: 22E0C271E20108ABDFA0EFB4C94575EB3ADDB06214F2089A4D608D7201F133CE414380

Non-executed Functions

Function 068F7680 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$q, xrefs: 068F7C01
$q, xrefs: 068F77A5
$q, xrefs: 068F7BF5
$q, xrefs: 068F7C17
$q, xrefs: 068F7B56
$q, xrefs: 068F7799
$q, xrefs: 068F77D6
$q, xrefs: 068F7C0B
$q, xrefs: 068F7B62
$q, xrefs: 068F77CA

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1298971921
Opcode ID: bacaeb6474efae8efc98701581fbb8b37aa5ed62f46d70a5bd4fce5285de8655
Instruction ID: 5f651f17a38404c559f249691289cf6b6b4f257672d499b416780bf85493c0e5
Opcode Fuzzy Hash: bacaeb6474efae8efc98701581fbb8b37aa5ed62f46d70a5bd4fce5285de8655
Instruction Fuzzy Hash: 29121B30E112198FEB64DF69D854BADB7B2BF89304F248569E50AEB254DB309D81CF90

Function 068FA920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$q, xrefs: 068FAA9C
$q, xrefs: 068FAA16
$q, xrefs: 068FAA22
$q, xrefs: 068FAAD2
$q, xrefs: 068FAADE
$q, xrefs: 068FAAA8
$q, xrefs: 068FAA7D
$q, xrefs: 068FAA71

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: 133ee17c84f96d072e653f139d2f7ee6a8945ae0a4e00e9d0678e17573073a45
Instruction ID: af9d07ff2083804106af4049111fbced00dfc61cc95382693c023024e7386b22
Opcode Fuzzy Hash: 133ee17c84f96d072e653f139d2f7ee6a8945ae0a4e00e9d0678e17573073a45
Instruction Fuzzy Hash: 67919030E20209DFEB68DF65D985BAE77F6AF44310F108529E606EB254DB749C45CB90

Function 068F7080 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$q, xrefs: 068F73BC
$q, xrefs: 068F73C8
$q, xrefs: 068F7362
$q, xrefs: 068F751C
$q, xrefs: 068F7588
$q, xrefs: 068F7594

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 16b6c66be9c84b7d363c06d288561aaca9c26bff834ca125d85a047c2b846fe4
Instruction ID: 43d9b62ce229f082d6cba495a3ac96f3715c0b728347f3c58215da2656fd4e58
Opcode Fuzzy Hash: 16b6c66be9c84b7d363c06d288561aaca9c26bff834ca125d85a047c2b846fe4
Instruction Fuzzy Hash: 1CF13C30A11209CFEB55EF68D594B6EBBB6FF88300F248568E506DB358DB359C42CB90

Function 069E5762 Relevance: 6.2, APIs: 4, Instructions: 159threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 069E581E
GetCurrentThread.KERNEL32 ref: 069E585B
GetCurrentProcess.KERNEL32 ref: 069E5898
GetCurrentThreadId.KERNEL32 ref: 069E58F1

Memory Dump Source

Source File: 00000003.00000002.3753697190.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_69e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: acb40badd9a738969fd565a210bfaaa5a12f3fe38a3c1fcbed37967f060e6810
Instruction ID: 8258463fbad2fb8dec12be7de85180f00f00c75e013c3223f660bd756503b2e1
Opcode Fuzzy Hash: acb40badd9a738969fd565a210bfaaa5a12f3fe38a3c1fcbed37967f060e6810
Instruction Fuzzy Hash: FF61BAB0801348DFEB55CFA9C948BDEBFF1EF49304F21845AE049AB2A2D7355844CB66

Function 069E57A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 069E581E
GetCurrentThread.KERNEL32 ref: 069E585B
GetCurrentProcess.KERNEL32 ref: 069E5898
GetCurrentThreadId.KERNEL32 ref: 069E58F1

Memory Dump Source

Source File: 00000003.00000002.3753697190.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_69e0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 61735e612dd93e3d21a62aecceebb50491a40c8e06c6414c9b9d8e7130812d2b
Instruction ID: 4670c71d230e0119ad901126d74c2f6d3b20cb142ba1b7114a37270c5473d8e1
Opcode Fuzzy Hash: 61735e612dd93e3d21a62aecceebb50491a40c8e06c6414c9b9d8e7130812d2b
Instruction Fuzzy Hash: 4F5155B0D00309DFEB58CFAAD548B9EBBF1EF48314F208419E109AB3A0D7759944CB66

Function 068F83B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$q, xrefs: 068F8612
$q, xrefs: 068F8683
$q, xrefs: 068F861E
$q, xrefs: 068F8677

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: b8bb1e1178b0fcb24e7e92d70f2d846afe7de037c5189dbd17ac76df6e71afb7
Instruction ID: c4eb8bb7c2001639d5473446559ae4b2b13609ac491c8398b31bbc8bd20511b9
Opcode Fuzzy Hash: b8bb1e1178b0fcb24e7e92d70f2d846afe7de037c5189dbd17ac76df6e71afb7
Instruction Fuzzy Hash: 0EB15B70E212098FDB64EB69C5847AEB7B6EF84300F248529E505EB355DB75DC82CB90

Function 068FACA8 Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

$q, xrefs: 068FAE5B
$q, xrefs: 068FADD9
$q, xrefs: 068FAE2C
$q, xrefs: 068FAE84

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 4ba65280ebc403216a05e262df5d1b281f64cebb90c6aa598b03f3d2d4375fe2
Instruction ID: 9f5559884b922220f20f57a78dd0701446b32cad1165426c61ead92763ddfc5f
Opcode Fuzzy Hash: 4ba65280ebc403216a05e262df5d1b281f64cebb90c6aa598b03f3d2d4375fe2
Instruction Fuzzy Hash: 78518234E21209CFDF69EB68D5806AD73B6EF48321F148529EA19EB254DB31DC42CB51

Function 068F87D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRq, xrefs: 068F8912
LRq, xrefs: 068F88C3
$q, xrefs: 068F884F
$q, xrefs: 068F885B

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: LRq$LRq$$q$$q
API String ID: 0-2204215535
Opcode ID: fb032f2c581b9f0ae1c944ed1fa4cbdf0f03ad9b3497f823bc86fbeb946630d8
Instruction ID: e00f21e39d783e0cda9c61917abf05bf17044e17ee5c6a954e26bd3bd7a18a2b
Opcode Fuzzy Hash: fb032f2c581b9f0ae1c944ed1fa4cbdf0f03ad9b3497f823bc86fbeb946630d8
Instruction Fuzzy Hash: 1F51AD70B202058FDB59EB28D981B6EB7F6FF88304B148569E616DF395DA31EC01CB91

Function 068FAD34 Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

$q, xrefs: 068FAE5B
$q, xrefs: 068FADD9
$q, xrefs: 068FAE2C
$q, xrefs: 068FAE84

Memory Dump Source

Source File: 00000003.00000002.3753597211.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_68f0000_Orden de compra HO-PO-376-25.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 6d26879581752a90adeeb928d9728e10ffd9079d2b17be0cccb6bcb2ba72fc7f
Instruction ID: cb3ea57fd0a218b656175cfdbf379231914fb932d582cc26f7f37b77b4ecee48
Opcode Fuzzy Hash: 6d26879581752a90adeeb928d9728e10ffd9079d2b17be0cccb6bcb2ba72fc7f
Instruction Fuzzy Hash: 10416534B21205CFDF69EB68D5806BD73B6FF88220B148569E919EB355EB31DC02CB51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Orden de compra HO-PO-376-25.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de compra HO-PO-376-25.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Orden de compra HO-PO-376-25.exe

Function 073EBDB5 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 073EBDC0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0177AD88 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Function 017744B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0177590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 073EBB31 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 073EBC20 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Function 073EBB38 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 073EB560 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Function 0177B770 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0177D658 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 073EB568 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 073EBC28 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre