Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Orden de compra HO-PO-376-25.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.93132456588385
Filename:	Orden de compra HO-PO-376-25.exe
Filesize:	718848
MD5:	dcf506612856d6b0949977f0d8a69d09
SHA1:	34c33ed398e1d023f07b656c380176d982e3cdde
SHA256:	3bd34f842f57e9c8767fb1f12d573c017b26b14c99a345e01a3ec841efb8f962
SHA512:	c9afa0b2ad51b315b7df0b308c0ff3252dbfc4504c861d6dd2b4f2f2163403752f46193f79115ccaac9fee938cd2aa32a8dcac37fe9ca988cf23ebb4651266b5
SSDEEP:	12288:QCSZK3RbeXGvFNqZIHaLfHNRXLQQb2qQW3FOhm/sspWV12xKgSQZaN+:QvZK35eXuNqaa7PQ5qchqpq2Ygq+
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e0...............0.................. ... ....@.. .......................`............@................................

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code contains potential unpacker	Data Obfuscation
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)	Malware Analysis System Evasion
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)	Stealing of Sensitive Information	Credentials in Registry
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Tries to steal Mail credentials (via file / registry access)	Stealing of Sensitive Information	Email Collection
Abnormal high CPU Usage	System Summary	Process Injection
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Creates a window with clipboard capturing capabilities	Key, Mouse, Clipboard, Microphone and Screen Capturing	Clipboard Data
Detected potential crypto function	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found large amount of non-executed APIs	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information Archive Collected Data
.NET source code contains many API calls related to security	System Summary	Disable or Modify Tools
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Creates mutexes	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Queries process information (via WMI, Win32_Process)	System Summary	Windows Management Instrumentation
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Checks if Microsoft Office is installed	System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de compra HO-PO-376-25.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de compra HO-PO-376-25.exe.log
Category:	dropped
Dump:	Orden de compra HO-PO-376-25.exe.log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.34331486778365
Encrypted:	false
Ssdeep:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
Size:	1216
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
URLs found in memory or binary data	Networking
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

"C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"

Details

Is windows:	false
Is dropped:	false
PID:	1432
Target ID:	0
Parent PID:	4056
Name:	Orden de compra HO-PO-376-25.exe
Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Commandline:	"C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"
Size:	718848
MD5:	DCF506612856D6B0949977F0D8A69D09
Time:	13:29:04
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xce0000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe

"C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6328
Target ID:	3
Parent PID:	1432
Name:	Orden de compra HO-PO-376-25.exe
Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Commandline:	"C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe"
Size:	718848
MD5:	DCF506612856D6B0949977F0D8A69D09
Time:	13:29:05
Date:	25/11/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x850000
Modulesize:	745472
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AgentTesla	Stealing of Sensitive Information, Remote Access Functionality
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected zgRAT	Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Yara detected Generic Downloader	Networking
Binary contains a suspicious time stamp	Data Obfuscation	Timestomp
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
Creates files inside the user directory	System Summary	Masquerading
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

URLs

Name

Malicious

https://api.ipify.org/

172.67.74.152

Details

Name:	https://api.ipify.org/
IP:	172.67.74.152
TargetID:	3
From Memory:	false
Current Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://api.ipify.org

unknown

Details

Name:	https://api.ipify.org
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Source:	Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://account.dyn.com/

unknown

Details

Name:	https://account.dyn.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Source:	Orden de compra HO-PO-376-25.exe, 00000000.00000002.1309826886.0000000004081000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3748312484.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://api.ipify.org/t

unknown

Details

Name:	https://api.ipify.org/t
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Source:	Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

Details

Name:	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Source:	Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002C71000.00000004.00000800.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ftp.gizemetiket.com.tr

unknown

Details

Name:	http://ftp.gizemetiket.com.tr
TargetID:	3
From Memory:	true
Current Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Source:	Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002D5D000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.000000000311C000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, Orden de compra HO-PO-376-25.exe, 00000003.00000002.3749743941.0000000002D02000.00000004.00000800.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://tempuri.org/DataSet1.xsd

unknown

Domains

Name

Malicious

ftp.gizemetiket.com.tr

93.89.225.40

Details

Name:	ftp.gizemetiket.com.tr
IP:	93.89.225.40
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

api.ipify.org

172.67.74.152

Details

Name:	api.ipify.org
IP:	172.67.74.152
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

93.89.225.40

ftp.gizemetiket.com.tr

Turkey

Details

IP:	93.89.225.40
TargetID:	3
Current Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Country:	Turkey
Countrycode:	TUR
ASN number:	51557
ASN name:	TR-FBSTR
Private:	false
Domain:	ftp.gizemetiket.com.tr

Signature Hits	Behavior Group	Mitre Attack
Uses FTP	Networking	Application Layer Protocol Exfiltration Over Alternative Protocol

172.67.74.152

api.ipify.org

United States

Details

IP:	172.67.74.152
TargetID:	3
Current Path:	C:\Users\user\Desktop\Orden de compra HO-PO-376-25.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Orden de compra HO-PO-376-25_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

5AE0000

trusted library section

page read and write

2CC1000

trusted library allocation

page read and write

2CEC000

trusted library allocation

page read and write

4081000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

64FC000

heap

page read and write

120B000

trusted library allocation

page execute and read and write

61BD000

stack

page read and write

1473000

trusted library allocation

page execute and read and write

A32E000

stack

page read and write

68E0000

trusted library allocation

page read and write

5586000

trusted library allocation

page read and write

11D0000

heap

page read and write

6050000

trusted library allocation

page read and write

1783000

heap

page read and write

12B0000

trusted library allocation

page read and write

1496000

trusted library allocation

page execute and read and write

12AF000

heap

page read and write

7B00000

heap

page read and write

55A0000

trusted library allocation

page read and write

64E3000

heap

page read and write

13F66000

trusted library allocation

page read and write

72C0000

heap

page read and write

56E0000

trusted library allocation

page execute and read and write

671E000

stack

page read and write

11C0000

heap

page read and write

A46E000

stack

page read and write

30C6000

trusted library allocation

page read and write

58EE000

stack

page read and write

CE0000

unkown

page readonly

76F0000

trusted library allocation

page execute and read and write

3081000

trusted library allocation

page read and write

EC3000

trusted library allocation

page execute and read and write

11A0000

heap

page read and write

BD6E000

trusted library allocation

page read and write

126E000

stack

page read and write

EF8000

heap

page read and write

2B7E000

stack

page read and write

73D0000

trusted library allocation

page read and write

6887000

trusted library allocation

page read and write

2D5D000

trusted library allocation

page read and write

64E0000

heap

page read and write

149A000

trusted library allocation

page execute and read and write

2CEA000

trusted library allocation

page read and write

74EFF000

unkown

page readonly

D60000

heap

page read and write

17C7000

heap

page read and write

635E000

unkown

page read and write

1474000

trusted library allocation

page read and write

1780000

heap

page read and write

3C99000

trusted library allocation

page read and write

13F69000

trusted library allocation

page read and write

F19000

heap

page read and write

72CE000

heap

page read and write

5270000

heap

page execute and read and write

50BB000

trusted library allocation

page read and write

1790000

trusted library allocation

page read and write

A22E000

stack

page read and write

521B000

stack

page read and write

557E000

trusted library allocation

page read and write

5560000

trusted library allocation

page read and write

2CA6000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

50B0000

trusted library allocation

page read and write

2D00000

trusted library allocation

page read and write

6E7C000

stack

page read and write

1217000

heap

page read and write

55B0000

trusted library allocation

page read and write

7090000

trusted library allocation

page read and write

53FC000

stack

page read and write

1770000

trusted library allocation

page execute and read and write

60F7000

heap

page read and write

16B2000

trusted library allocation

page read and write

5100000

trusted library allocation

page read and write

311C000

trusted library allocation

page read and write

12A0000

heap

page execute and read and write

5690000

heap

page read and write

7C00000

trusted library allocation

page read and write

ECD000

trusted library allocation

page execute and read and write

5720000

trusted library allocation

page read and write

50C2000

trusted library allocation

page read and write

5130000

heap

page read and write

EE6000

trusted library allocation

page execute and read and write

54FC000

stack

page read and write

5A55000

heap

page read and write

68D0000

trusted library allocation

page read and write

3C71000

trusted library allocation

page read and write

6B8C000

stack

page read and write

10EC000

stack

page read and write

625E000

stack

page read and write

50D1000

trusted library allocation

page read and write

68CD000

stack

page read and write

12D0000

heap

page read and write

5730000

trusted library section

page readonly

EB0000

trusted library allocation

page read and write

5D9C000

stack

page read and write

554E000

stack

page read and write

55A5000

trusted library allocation

page read and write

F9A000

heap

page read and write

7AFE000

stack

page read and write

3CD7000

trusted library allocation

page read and write

16BB000

trusted library allocation

page execute and read and write

6F8C000

stack

page read and write

5630000

trusted library allocation

page read and write

56E0000

trusted library allocation

page read and write

148D000

trusted library allocation

page execute and read and write

5750000

heap

page execute and read and write

5564000

trusted library allocation

page read and write

EF0000

heap

page read and write

789E000

stack

page read and write

5A50000

heap

page read and write

567C000

stack

page read and write

2C5C000

stack

page read and write

1492000

trusted library allocation

page read and write

10F7000

heap

page read and write

588B000

stack

page read and write

11FB000

heap

page read and write

5740000

heap

page read and write

6532000

heap

page read and write

5581000

trusted library allocation

page read and write

16AE000

stack

page read and write

4D6E000

stack

page read and write

2B88000

trusted library allocation

page read and write

7F90000

heap

page read and write

5620000

heap

page read and write

13F6E000

trusted library allocation

page read and write

5592000

trusted library allocation

page read and write

69E0000

trusted library allocation

page execute and read and write

1202000

trusted library allocation

page read and write

3070000

heap

page execute and read and write

74EE1000

unkown

page execute read

1287000

heap

page read and write

657F000

heap

page read and write

2C71000

trusted library allocation

page read and write

D00000

heap

page read and write

73E0000

trusted library allocation

page execute and read and write

EE2000

trusted library allocation

page read and write

747E000

stack

page read and write

171E000

stack

page read and write

D92000

unkown

page readonly

F23000

heap

page read and write

7F66000

trusted library allocation

page read and write

5FE0000

trusted library allocation

page read and write

1490000

trusted library allocation

page read and write

A4AE000

stack

page read and write

50D6000

trusted library allocation

page read and write

6C0E000

stack

page read and write

74EF6000

unkown

page readonly

685E000

stack

page read and write

7F890000

trusted library allocation

page execute and read and write

147D000

trusted library allocation

page execute and read and write

5EDB000

stack

page read and write

68F0000

trusted library allocation

page execute and read and write

F6D000

heap

page read and write

6E80000

heap

page read and write

6C40000

heap

page read and write

17B0000

trusted library allocation

page read and write

68D6000

trusted library allocation

page read and write

11C5000

heap

page read and write

661E000

stack

page read and write

1200000

trusted library allocation

page read and write

EC4000

trusted library allocation

page read and write

DB5E000

trusted library allocation

page read and write

1480000

trusted library allocation

page read and write

687D000

trusted library allocation

page read and write

74EE0000

unkown

page readonly

A5AE000

stack

page read and write

61D0000

heap

page read and write

50F4000

trusted library allocation

page read and write

143E000

stack

page read and write

EE0000

trusted library allocation

page read and write

6BCE000

stack

page read and write

5DA9000

heap

page read and write

D50000

heap

page read and write

14A0000

heap

page read and write

15AF000

stack

page read and write

E7C000

stack

page read and write

7430000

trusted library allocation

page read and write

175B000

stack

page read and write

7F6E000

trusted library allocation

page read and write

5DA0000

heap

page read and write

50E2000

trusted library allocation

page read and write

74EFD000

unkown

page read and write

2D02000

trusted library allocation

page read and write

5890000

heap

page read and write

50F0000

trusted library allocation

page read and write

6C60000

trusted library allocation

page execute and read and write

79BF000

stack

page read and write

563B000

trusted library allocation

page read and write

7420000

trusted library allocation

page read and write

50BE000

trusted library allocation

page read and write

A36E000

stack

page read and write

1207000

trusted library allocation

page execute and read and write

50DD000

trusted library allocation

page read and write

2D5B000

trusted library allocation

page read and write

61C0000

heap

page read and write

FA5000

heap

page read and write

69D0000

trusted library allocation

page read and write

7FA0000

heap

page read and write

CE2000

unkown

page readonly

603B000

stack

page read and write

A1EE000

stack

page read and write

1270000

heap

page read and write

76DD000

stack

page read and write

11FE000

heap

page read and write

30CF000

trusted library allocation

page read and write

EDD000

trusted library allocation

page execute and read and write

56F0000

trusted library allocation

page read and write

16D0000

trusted library allocation

page read and write

1230000

heap

page read and write

1137000

stack

page read and write

615D000

stack

page read and write

60DC000

stack

page read and write

5088000

trusted library allocation

page read and write

5632000

trusted library allocation

page read and write

74EFD000

unkown

page read and write

6040000

trusted library allocation

page read and write

73C0000

trusted library allocation

page execute and read and write

1760000

heap

page read and write

5B00000

trusted library allocation

page read and write

99A000

stack

page read and write

675E000

stack

page read and write

558D000

trusted library allocation

page read and write

56E9000

trusted library allocation

page read and write

1205000

trusted library allocation

page execute and read and write

2CE8000

trusted library allocation

page read and write

FA2000

heap

page read and write

6880000

trusted library allocation

page read and write

79FE000

stack

page read and write

5140000

heap

page read and write

556B000

trusted library allocation

page read and write

7EEB0000

trusted library allocation

page execute and read and write

5260000

heap

page read and write

5134000

heap

page read and write

1232000

heap

page read and write

EC0000

trusted library allocation

page read and write

1290000

trusted library allocation

page execute and read and write

60F0000

heap

page read and write

1220000

trusted library allocation

page read and write

1190000

heap

page read and write

13FE000

stack

page read and write

12D7000

heap

page read and write

7436000

trusted library allocation

page read and write

16B7000

trusted library allocation

page execute and read and write

BD69000

trusted library allocation

page read and write

6C50000

heap

page read and write

708D000

stack

page read and write

1470000

trusted library allocation

page read and write

2C60000

heap

page read and write

D66000

heap

page read and write

5FDD000

stack

page read and write

BD66000

trusted library allocation

page read and write

1224000

heap

page read and write

654D000

heap

page read and write

17A0000

trusted library allocation

page read and write

EEA000

trusted library allocation

page execute and read and write

10F0000

heap

page read and write

103A000

stack

page read and write

6870000

trusted library allocation

page read and write

11F0000

heap

page read and write

2CAF000

trusted library allocation

page read and write

306F000

stack

page read and write

2CF2000

trusted library allocation

page read and write

16B0000

trusted library allocation

page read and write

F26000

heap

page read and write

7720000

trusted library section

page read and write

D4C000

stack

page read and write

11FC000

stack

page read and write

58A0000

trusted library allocation

page execute and read and write

F8F000

heap

page read and write

50CE000

trusted library allocation

page read and write

55D0000

trusted library allocation

page read and write

5610000

heap

page read and write

2CBD000

trusted library allocation

page read and write

7F69000

trusted library allocation

page read and write

1460000

trusted library allocation

page read and write

ED0000

trusted library allocation

page read and write

CF8000

stack

page read and write

17C0000

heap

page read and write

698E000

stack

page read and write

12C0000

trusted library allocation

page read and write

6C30000

trusted library allocation

page read and write

There are 272 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Orden de compra HO-PO-376-25.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportOrden de compra HO-PO-376-25.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
Orden de compra HO-PO-376-25.exe