Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Avira: detected |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
ReversingLabs: Detection: 68% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.9% probability |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Joe Sandbox ML: detected |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: global traffic |
TCP traffic: 192.168.2.4:49737 -> 194.48.248.72:7833 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.48.248.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.48.248.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.48.248.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.48.248.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.48.248.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.48.248.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.48.248.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.48.248.72 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.48.248.72 |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: http://prototype.conio.net/ |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: http://www.atozed.com |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: http://www.wapforum.org/DTD/wml_1.1.xml |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: http://www.wapforum.org/DTD/xhtml-mobile10.dtd |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Process Stats: CPU usage > 49% |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_131BAC47 |
5_2_131BAC47 |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe, 00000000.00000000.1679007389.0000000000EE4000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamePeopleMatter: vs 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Binary or memory string: OriginalFilenamePeopleMatter: vs 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
Source: classification engine |
Classification label: mal80.evad.winEXE@3/0@0/1 |
Source: Yara match |
File source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe, type: SAMPLE |
Source: Yara match |
File source: 00000000.00000000.1678844742.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales |
Jump to behavior |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
ReversingLabs: Detection: 68% |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: NATS-SEFI-ADD |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: NATS-DANO-ADD |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: JIS_C6229-1984-b-add |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: jp-ocr-b-add |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: JIS_C6229-1984-hand-add |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: jp-ocr-hand-add |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: ISO_6937-2-add |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: <P>The IP/Address you used was %s.%s |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
String found in binary or memory: Execute via &Default browser/Launch default browser and execute application. |
Source: unknown |
Process created: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe "C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe" |
|
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Process created: C:\Windows\SysWOW64\grpconv.exe C:\windows\syswow64\grpconv.exe |
|
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Process created: C:\Windows\SysWOW64\grpconv.exe C:\windows\syswow64\grpconv.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Section loaded: wship6.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Static file information: File size 20952576 > 1048576 |
Source: 5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1315000 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_14A8C880 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, |
5_2_14A8C880 |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Code function: 0_2_0019BE14 push esp; retf 0019h |
0_2_0019BE15 |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Code function: 0_2_0019C994 push esp; retf 0019h |
0_2_0019C995 |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Code function: 0_2_0019BF81 push esp; retf 0019h |
0_2_0019BFA1 |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Code function: 0_2_0019B549 push esp; retf 0019h |
0_2_0019B559 |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Code function: 0_2_0019BEE0 push esp; retf 0019h |
0_2_0019BEE1 |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Code function: 0_2_0019C9E0 push esp; retf 0019h |
0_2_0019C9E1 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_13195609 push ecx; ret |
5_2_1319561C |
Source: C:\Windows\SysWOW64\grpconv.exe |
Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe TID: 7892 |
Thread sleep time: -146000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe TID: 7172 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe TID: 8180 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Thread delayed: delay time: 60000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Thread delayed: delay time: 30000 |
Jump to behavior |
Source: grpconv.exe, 00000005.00000002.4132852100.00000000029A8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Windows\SysWOW64\grpconv.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\SysWOW64\grpconv.exe |
Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_131A1C1F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
5_2_131A1C1F |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_14A8C880 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, |
5_2_14A8C880 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_131B2121 mov eax, dword ptr fs:[00000030h] |
5_2_131B2121 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_131ACD25 mov eax, dword ptr fs:[00000030h] |
5_2_131ACD25 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_131B2165 mov eax, dword ptr fs:[00000030h] |
5_2_131B2165 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_131946C5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
5_2_131946C5 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_131A1C1F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
5_2_131A1C1F |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Memory allocated: C:\Windows\SysWOW64\grpconv.exe base: 13140000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Memory written: C:\Windows\SysWOW64\grpconv.exe base: 13140000 value starts with: 4D5A |
Jump to behavior |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Memory written: C:\Windows\SysWOW64\grpconv.exe base: 13140000 |
Jump to behavior |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Memory written: C:\Windows\SysWOW64\grpconv.exe base: 471008 |
Jump to behavior |
Source: C:\Users\user\Desktop\5086520740-COMPROBANTE-DE-PAGO-000255784540102210.exe |
Process created: C:\Windows\SysWOW64\grpconv.exe C:\windows\syswow64\grpconv.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: EnumSystemLocalesW, |
5_2_131B176D |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: GetLocaleInfoW, |
5_2_131BB391 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: GetLocaleInfoW, |
5_2_131BB7FC |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: GetLocaleInfoW, |
5_2_131BBA28 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
5_2_131BBAF7 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: EnumSystemLocalesW, |
5_2_131BB51E |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
5_2_131BB922 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: GetLocaleInfoW, |
5_2_131B1D26 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: GetACP,IsValidCodePage,GetLocaleInfoW, |
5_2_131BB196 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
5_2_131BB5A9 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: EnumSystemLocalesW, |
5_2_131BB438 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: EnumSystemLocalesW, |
5_2_131BB483 |
Source: C:\Windows\SysWOW64\grpconv.exe |
Code function: 5_2_13181B54 GetSystemTimeAsFileTime, |
5_2_13181B54 |