Windows Analysis Report
Justificante de pago.exe

Overview

General Information

Sample name: Justificante de pago.exe
Analysis ID: 1571282
MD5: 0c0b566099d8f32313cac142624e9b89
SHA1: c91bd91424a20a9d45cc62cd3aaa85afefe60a74
SHA256: e47dfbb5bd64ac09562d7d20618ba7f024a0b7547d864217feb0586f7145cdb0
Tags: exeuser-adrian__luca
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 0000000E.00000002.2180128990.0000000000D57000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["1:7643:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-14OQCD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: Justificante de pago.exe ReversingLabs: Detection: 63%
Source: Justificante de pago.exe Virustotal: Detection: 73% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2180128990.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4543491647.0000000002E6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2203488669.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 5696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4676, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Justificante de pago.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 14_2_0043293A
Source: Justificante de pago.exe, 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_9f67ade6-a

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2203488669.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4676, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00406764 _wcslen,CoGetObject, 14_2_00406764
Uses 32bit PE files
Source: Justificante de pago.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Justificante de pago.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 14_2_0040B335
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 14_2_0041B42F
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 14_2_0040B53A
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0044D5E9 FindFirstFileExA, 14_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 14_2_004089A9
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00406AC2 FindFirstFileW,FindNextFileW, 14_2_00406AC2
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 14_2_00407A8C
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 14_2_00418C69
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 14_2_00408DA7
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 14_2_00406F06
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 4x nop then jmp 09A0E1EBh 10_2_09A0E273

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 1
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004260F7 recv, 14_2_004260F7
Source: TYLngHLuy.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: Justificante de pago.exe, 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, TYLngHLuy.exe, 0000000A.00000002.2203488669.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, TYLngHLuy.exe, 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: TYLngHLuy.exe, 0000000A.00000002.2200650193.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://localhost/arkanoid_server/requests.php
Source: Justificante de pago.exe, 00000000.00000002.2141971845.0000000003271000.00000004.00000800.00020000.00000000.sdmp, TYLngHLuy.exe, 0000000A.00000002.2200650193.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000 14_2_004099E4
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Justificante de pago.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Justificante de pago.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 14_2_004159C6
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 14_2_004159C6
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 14_2_004159C6
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 14_2_00409B10
Yara detected Keylogger Generic
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2203488669.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4676, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2180128990.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4543491647.0000000002E6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2203488669.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 5696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4676, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041BB77 SystemParametersInfoW, 14_2_0041BB77

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.2203488669.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Justificante de pago.exe PID: 572, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: TYLngHLuy.exe PID: 4796, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: TYLngHLuy.exe PID: 4676, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Justificante de pago.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 14_2_004158B9
Detected potential crypto function
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01492278 0_2_01492278
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01490860 0_2_01490860
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01490F18 0_2_01490F18
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01497318 0_2_01497318
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01492154 0_2_01492154
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_0149210D 0_2_0149210D
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01492054 0_2_01492054
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_014920B2 0_2_014920B2
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01492268 0_2_01492268
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_0149A4A3 0_2_0149A4A3
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01492B00 0_2_01492B00
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01492B10 0_2_01492B10
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_014915FA 0_2_014915FA
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01493640 0_2_01493640
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01491608 0_2_01491608
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_0149363D 0_2_0149363D
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01491BCF 0_2_01491BCF
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01491A38 0_2_01491A38
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01491CB5 0_2_01491CB5
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01491E7A 0_2_01491E7A
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01491E04 0_2_01491E04
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01491E3B 0_2_01491E3B
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02942278 10_2_02942278
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02940860 10_2_02940860
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02940F18 10_2_02940F18
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02947318 10_2_02947318
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02942268 10_2_02942268
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_029420B2 10_2_029420B2
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02942054 10_2_02942054
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_0294210D 10_2_0294210D
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_0294215A 10_2_0294215A
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_0294A4A2 10_2_0294A4A2
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02942B10 10_2_02942B10
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02942B00 10_2_02942B00
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02940E80 10_2_02940E80
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02941600 10_2_02941600
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02941608 10_2_02941608
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02943631 10_2_02943631
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02943640 10_2_02943640
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02941A38 10_2_02941A38
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02941BCF 10_2_02941BCF
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02941E04 10_2_02941E04
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02941E3B 10_2_02941E3B
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02941E7A 10_2_02941E7A
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02941CB5 10_2_02941CB5
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_09A00F38 10_2_09A00F38
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_09A08A70 10_2_09A08A70
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_09A0AC60 10_2_09A0AC60
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_09A08E98 10_2_09A08E98
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_09A0B098 10_2_09A0B098
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_09A092E0 10_2_09A092E0
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041D071 14_2_0041D071
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004520D2 14_2_004520D2
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0043D098 14_2_0043D098
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00437150 14_2_00437150
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004361AA 14_2_004361AA
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00426254 14_2_00426254
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00431377 14_2_00431377
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0043651C 14_2_0043651C
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041E5DF 14_2_0041E5DF
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0044C739 14_2_0044C739
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004367C6 14_2_004367C6
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004267CB 14_2_004267CB
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0043C9DD 14_2_0043C9DD
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00432A49 14_2_00432A49
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00436A8D 14_2_00436A8D
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0043CC0C 14_2_0043CC0C
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00436D48 14_2_00436D48
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00434D22 14_2_00434D22
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00426E73 14_2_00426E73
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00440E20 14_2_00440E20
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0043CE3B 14_2_0043CE3B
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00412F45 14_2_00412F45
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00452F00 14_2_00452F00
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00426FAD 14_2_00426FAD
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: String function: 00401F66 appears 50 times
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: String function: 004020E7 appears 39 times
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: String function: 004338A5 appears 41 times
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: String function: 00433FB0 appears 55 times
Sample file is different than original file name gathered from version info
Source: Justificante de pago.exe, 00000000.00000002.2149247212.0000000009F70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Justificante de pago.exe
Source: Justificante de pago.exe, 00000000.00000002.2148003481.0000000008000000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs Justificante de pago.exe
Source: Justificante de pago.exe, 00000000.00000002.2141054489.000000000165E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Justificante de pago.exe
Source: Justificante de pago.exe, 00000000.00000002.2141971845.000000000339B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs Justificante de pago.exe
Source: Justificante de pago.exe, 00000000.00000002.2148831132.00000000087A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezilb.exe0 vs Justificante de pago.exe
Source: Justificante de pago.exe, 00000000.00000002.2142961583.0000000004A79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs Justificante de pago.exe
Source: Justificante de pago.exe Binary or memory string: OriginalFilenamezilb.exe0 vs Justificante de pago.exe
Uses 32bit PE files
Source: Justificante de pago.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.2203488669.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Justificante de pago.exe PID: 572, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: TYLngHLuy.exe PID: 4796, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: TYLngHLuy.exe PID: 4676, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Justificante de pago.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TYLngHLuy.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, UOde2UcdcQVGGXFk6M.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, CUWBgd994v9yS7mZ9Z.cs Security API names: _0020.SetAccessControl
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, CUWBgd994v9yS7mZ9Z.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, CUWBgd994v9yS7mZ9Z.cs Security API names: _0020.AddAccessRule
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, CUWBgd994v9yS7mZ9Z.cs Security API names: _0020.SetAccessControl
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, CUWBgd994v9yS7mZ9Z.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, CUWBgd994v9yS7mZ9Z.cs Security API names: _0020.AddAccessRule
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, CUWBgd994v9yS7mZ9Z.cs Security API names: _0020.SetAccessControl
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, CUWBgd994v9yS7mZ9Z.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, CUWBgd994v9yS7mZ9Z.cs Security API names: _0020.AddAccessRule
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, UOde2UcdcQVGGXFk6M.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, UOde2UcdcQVGGXFk6M.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@19/16@0/1
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 14_2_00416AB7
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 14_2_0040E219
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource, 14_2_0041A63F
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 14_2_00419BC4
Source: C:\Users\user\Desktop\Justificante de pago.exe File created: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-14OQCD
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_03
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Mutant created: \Sessions\1\BaseNamedObjects\RSWDIExO
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
Source: C:\Users\user\Desktop\Justificante de pago.exe File created: C:\Users\user\AppData\Local\Temp\tmpEABB.tmp Jump to behavior
Source: Justificante de pago.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Justificante de pago.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Justificante de pago.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Justificante de pago.exe ReversingLabs: Detection: 63%
Source: Justificante de pago.exe Virustotal: Detection: 73%
Source: C:\Users\user\Desktop\Justificante de pago.exe File read: C:\Users\user\Desktop\Justificante de pago.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Justificante de pago.exe "C:\Users\user\Desktop\Justificante de pago.exe"
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Justificante de pago.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TYLngHLuy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYLngHLuy" /XML "C:\Users\user\AppData\Local\Temp\tmpEABB.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Users\user\Desktop\Justificante de pago.exe "C:\Users\user\Desktop\Justificante de pago.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\TYLngHLuy.exe C:\Users\user\AppData\Roaming\TYLngHLuy.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYLngHLuy" /XML "C:\Users\user\AppData\Local\Temp\tmp529.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process created: C:\Users\user\AppData\Roaming\TYLngHLuy.exe "C:\Users\user\AppData\Roaming\TYLngHLuy.exe"
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Justificante de pago.exe" Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TYLngHLuy.exe" Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYLngHLuy" /XML "C:\Users\user\AppData\Local\Temp\tmpEABB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Users\user\Desktop\Justificante de pago.exe "C:\Users\user\Desktop\Justificante de pago.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYLngHLuy" /XML "C:\Users\user\AppData\Local\Temp\tmp529.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process created: C:\Users\user\AppData\Roaming\TYLngHLuy.exe "C:\Users\user\AppData\Roaming\TYLngHLuy.exe" Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Justificante de pago.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Justificante de pago.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Justificante de pago.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, CUWBgd994v9yS7mZ9Z.cs .Net Code: Ni2jfsxHJ0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, CUWBgd994v9yS7mZ9Z.cs .Net Code: Ni2jfsxHJ0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Justificante de pago.exe.33d4640.0.raw.unpack, L2.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Justificante de pago.exe.4a91d80.1.raw.unpack, L2.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Justificante de pago.exe.8000000.6.raw.unpack, L2.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, CUWBgd994v9yS7mZ9Z.cs .Net Code: Ni2jfsxHJ0 System.Reflection.Assembly.Load(byte[])
Source: 10.2.TYLngHLuy.exe.2c54904.1.raw.unpack, L2.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 14_2_0041BCE3
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Justificante de pago.exe Code function: 0_2_01490C4B push ecx; retf 0_2_01490C4C
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 10_2_02940C4B push ecx; retf 10_2_02940C4C
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004567E0 push eax; ret 14_2_004567FE
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0045B9DD push esi; ret 14_2_0045B9E6
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00463EF3 push ds; retf 14_2_00463EEC
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00455EAF push ecx; ret 14_2_00455EC2
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00433FF6 push ecx; ret 14_2_00434009
Source: Justificante de pago.exe Static PE information: section name: .text entropy: 7.846977246687542
Source: TYLngHLuy.exe.0.dr Static PE information: section name: .text entropy: 7.846977246687542
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, NF0U3o85styr0UIlr0.cs High entropy of concatenated method names: 'c9c2pYRA8F', 'Wkd2GctYba', 'ToString', 'sNO2MaD6LW', 'qkB2C1KSlo', 'ShT2Q7V1e7', 'uOS2KDqSqv', 'AIT2LWQVvy', 'Q3e2xYkm1d', 'bdO29Zuu0X'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, RgVUj8C20DhfcyAVmn.cs High entropy of concatenated method names: 'Dispose', 'v1cIyoGP9V', 'tN7TsWOAuS', 'k7cwokAEsr', 'LjtIbLZM5y', 'q5mIzknXn3', 'ProcessDialogKey', 'y8qTAEklh5', 'M2gTIZOKDC', 'KkSTT6sjNZ'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, CUWBgd994v9yS7mZ9Z.cs High entropy of concatenated method names: 'Donmdf09OA', 'SysmMLI286', 'RnGmCIyf0n', 'H5KmQtFkB0', 'lWTmKxIpaT', 'Vu9mLKr46f', 'd6hmxPnuLE', 'ljDm9JDih3', 'QHlm0DBnIB', 'P8MmpYxk3p'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, UhWILV4gvDXpyhvuh8.cs High entropy of concatenated method names: 'eckxM9lrgs', 'fSTxQCtJXn', 'EuExLO3ShF', 'R6xLbRd4dg', 'rw3LzwIeGG', 'B8YxAs88yh', 't6RxIMaC9s', 'jiWxTB5ilp', 'mFAxmRyGNu', 's8dxjdf7GK'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, UOde2UcdcQVGGXFk6M.cs High entropy of concatenated method names: 'Be1CNh6hjE', 'aejCSPUoYR', 'VvNCaeendw', 'aNhC8mVEbX', 'x0BCqnUOd7', 'S7jCOwBSgf', 'psDCZWi4By', 'alACeSU1D6', 'txHCyXYGyI', 'xo6CbAYYq2'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, osFZBOHBZsAJcprqgS.cs High entropy of concatenated method names: 'XJbKvZolC6', 'lSJKo2xNkh', 'pn3QncsLhn', 'zQrQitLLFk', 'auBQ3HBlb6', 'RL0Qt7J4xM', 'C7wQ4EjtpE', 'k6vQ5UiCEl', 'GbrQEXJ8iA', 'Vk9QhRHWDy'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, pBnf86IjVDR59piLt5K.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Shj1Ubsbty', 'Dth1rQfeSW', 'kqj1R2ftye', 't7x11kv19E', 'mYn16ikrVc', 'FfI1WvGQQx', 'EQ41FwCjRQ'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, i97c7jXusA5TqhbY5O.cs High entropy of concatenated method names: 'To5LdbOqw7', 'ShELC4xhYb', 'N3NLK1SVP5', 'tZfLxkg22l', 'ahGL9sjgWK', 'cACKq6wWm9', 'qVWKOODsd9', 'AgEKZ27nMM', 'VyuKe552Dx', 'JKoKyJcupD'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, i1nYCkz6WPbk7gIdQr.cs High entropy of concatenated method names: 'IQsrPZVHvU', 'C0OrcuNYsc', 'kBdrDYJI8I', 'PUErXVJ8K3', 'mcVrsDsk7F', 'OsJri0u4tm', 'IFEr3jVbkn', 'HaLrFmKNiH', 'MnirY7yS7h', 'g1HruNB3To'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, dv1eXVguZjBKA2ksdb.cs High entropy of concatenated method names: 'X3ZBcetceY', 'UcqBDV4Dkx', 'jPiBXn4cRi', 'A6jBsf7N7V', 'GynBiRLFYX', 'r1PB3pZlZE', 'gW2B4oF07k', 'jiGB5ANtCF', 'qjgBhLrx3x', 'heBBwl6YV2'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, Gwsq6pD7TehJh6XwMv.cs High entropy of concatenated method names: 'n4RQVtD54T', 'HRkQP6o3UF', 'K0JQcw4LZF', 'FkfQDkZJqI', 'lWhQkn3MWB', 'hjYQJl171o', 'Y8BQ2FFAs4', 'z6pQ7W0IO7', 'E3NQUV2UFV', 'kmcQrYiYND'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, EY6SvIO0tKajU4b5R3.cs High entropy of concatenated method names: 'Okp2e0a1wq', 'j6r2bwlaGp', 'T1r7AaLPDi', 'mHV7IptprO', 'PoB2wKSBjy', 'e932lhmsJk', 'JmF2g0tiZJ', 'AuK2NkIpUy', 'kI02SCSI7r', 'LtI2aFGjMG'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, v0jJGmIIpG0BNsTM3f6.cs High entropy of concatenated method names: 'RIsrbQTvD0', 'ljkrz6V3uN', 'AFtRAK5Eic', 'z7DRIlMWkn', 'xYgRT9mOfH', 'vQhRmHk6ku', 'EJjRjjeGWV', 'L7rRd73w1Y', 'VgxRMVIjB5', 'mQxRCW4DCN'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, vsjNZlbPrKsvreki44.cs High entropy of concatenated method names: 'VVIrQG5QvO', 'y7QrKFWx8T', 'j6hrLbADkq', 'nAbrxULMGh', 'ma3rUr3Txo', 'Ww7r9sKUBh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, B9jTKcZxh61coGP9V4.cs High entropy of concatenated method names: 'fkmUks0N1c', 'ADZU2j4BLX', 'y8dUU5lCQa', 'i6cURcg3ut', 'XlrU6u82s9', 'eEKUFOv6M2', 'Dispose', 'Ksg7MolUyI', 'XBk7CN3LVT', 'c527QlOoow'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, QCyUa3TMjwiiaWqOsj.cs High entropy of concatenated method names: 'iu1fUd1XA', 'E8YVFROkV', 'C2cParlsj', 'K2Ao3oEr2', 'sr6DIDrdT', 'ETOHFUu5V', 'pgJ0Jk3uInEl8lQAmq', 'tiEbfqSWmME1CIou1K', 'eHD7U3wNS', 'fFor5CPXU'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, nw0ssXjKdKjQC2pJfj.cs High entropy of concatenated method names: 'xKOIxOde2U', 'ecQI9VGGXF', 'l7TIpehJh6', 'GwMIGvksFZ', 'mrqIkgSK97', 'D7jIJusA5T', 'rVT5JrcoWInAUrcpSM', 'oIqbYdBF05wcG9u97A', 'N36II59dcH', 'oEnImKVgm6'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, D0DI1YEYj1iElTSGet.cs High entropy of concatenated method names: 'cXxxYJeLep', 'DN6xucjKKR', 'gQXxf7SR5G', 'DuyxVTA7kI', 'FKPxvRyFpY', 's4GxPQcP68', 'O8OxoEMWrS', 'KKxxcKOUxF', 'OoBxDuPN0a', 'SrfxHpCPAI'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, NxUlCcNCwcOpVpDoJU.cs High entropy of concatenated method names: 'HMckhI6pNv', 'xpOkldyP5k', 'egCkNjPgLR', 'D4ckSXBIxv', 'VMtksLToot', 'JUOknGsWho', 'mUNkifb9fD', 'ShAk3kkYqh', 'ITxktK7Poa', 'C2Pk4MeTCg'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, UEklh5y52gZOKDCtkS.cs High entropy of concatenated method names: 'fH1UXtUXms', 'p6sUsJDZCa', 'UEKUncQphb', 'iOXUip7jKX', 'iZiU3pqBtW', 'x6OUtdILDT', 'QwMU4TsIMJ', 'CTtU57Rfb5', 'eoCUE7tTYZ', 'q42UhXT9t7'
Source: 0.2.Justificante de pago.exe.9f70000.7.raw.unpack, YX1qR8sJC0UsMlZGTT.cs High entropy of concatenated method names: 'nIqwOoZIwWT1Bsv0T5D', 'lyiMweZx2D2w6WOe1Rp', 'GC3L7HMkgj', 'HjMLUXbWlf', 'oYGLrUi3eh', 'GOvGRwZPnVg2SPI74me', 'BraCgYZi9XSha1MEWJ3'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, NF0U3o85styr0UIlr0.cs High entropy of concatenated method names: 'c9c2pYRA8F', 'Wkd2GctYba', 'ToString', 'sNO2MaD6LW', 'qkB2C1KSlo', 'ShT2Q7V1e7', 'uOS2KDqSqv', 'AIT2LWQVvy', 'Q3e2xYkm1d', 'bdO29Zuu0X'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, RgVUj8C20DhfcyAVmn.cs High entropy of concatenated method names: 'Dispose', 'v1cIyoGP9V', 'tN7TsWOAuS', 'k7cwokAEsr', 'LjtIbLZM5y', 'q5mIzknXn3', 'ProcessDialogKey', 'y8qTAEklh5', 'M2gTIZOKDC', 'KkSTT6sjNZ'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, CUWBgd994v9yS7mZ9Z.cs High entropy of concatenated method names: 'Donmdf09OA', 'SysmMLI286', 'RnGmCIyf0n', 'H5KmQtFkB0', 'lWTmKxIpaT', 'Vu9mLKr46f', 'd6hmxPnuLE', 'ljDm9JDih3', 'QHlm0DBnIB', 'P8MmpYxk3p'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, UhWILV4gvDXpyhvuh8.cs High entropy of concatenated method names: 'eckxM9lrgs', 'fSTxQCtJXn', 'EuExLO3ShF', 'R6xLbRd4dg', 'rw3LzwIeGG', 'B8YxAs88yh', 't6RxIMaC9s', 'jiWxTB5ilp', 'mFAxmRyGNu', 's8dxjdf7GK'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, UOde2UcdcQVGGXFk6M.cs High entropy of concatenated method names: 'Be1CNh6hjE', 'aejCSPUoYR', 'VvNCaeendw', 'aNhC8mVEbX', 'x0BCqnUOd7', 'S7jCOwBSgf', 'psDCZWi4By', 'alACeSU1D6', 'txHCyXYGyI', 'xo6CbAYYq2'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, osFZBOHBZsAJcprqgS.cs High entropy of concatenated method names: 'XJbKvZolC6', 'lSJKo2xNkh', 'pn3QncsLhn', 'zQrQitLLFk', 'auBQ3HBlb6', 'RL0Qt7J4xM', 'C7wQ4EjtpE', 'k6vQ5UiCEl', 'GbrQEXJ8iA', 'Vk9QhRHWDy'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, pBnf86IjVDR59piLt5K.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Shj1Ubsbty', 'Dth1rQfeSW', 'kqj1R2ftye', 't7x11kv19E', 'mYn16ikrVc', 'FfI1WvGQQx', 'EQ41FwCjRQ'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, i97c7jXusA5TqhbY5O.cs High entropy of concatenated method names: 'To5LdbOqw7', 'ShELC4xhYb', 'N3NLK1SVP5', 'tZfLxkg22l', 'ahGL9sjgWK', 'cACKq6wWm9', 'qVWKOODsd9', 'AgEKZ27nMM', 'VyuKe552Dx', 'JKoKyJcupD'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, i1nYCkz6WPbk7gIdQr.cs High entropy of concatenated method names: 'IQsrPZVHvU', 'C0OrcuNYsc', 'kBdrDYJI8I', 'PUErXVJ8K3', 'mcVrsDsk7F', 'OsJri0u4tm', 'IFEr3jVbkn', 'HaLrFmKNiH', 'MnirY7yS7h', 'g1HruNB3To'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, dv1eXVguZjBKA2ksdb.cs High entropy of concatenated method names: 'X3ZBcetceY', 'UcqBDV4Dkx', 'jPiBXn4cRi', 'A6jBsf7N7V', 'GynBiRLFYX', 'r1PB3pZlZE', 'gW2B4oF07k', 'jiGB5ANtCF', 'qjgBhLrx3x', 'heBBwl6YV2'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, Gwsq6pD7TehJh6XwMv.cs High entropy of concatenated method names: 'n4RQVtD54T', 'HRkQP6o3UF', 'K0JQcw4LZF', 'FkfQDkZJqI', 'lWhQkn3MWB', 'hjYQJl171o', 'Y8BQ2FFAs4', 'z6pQ7W0IO7', 'E3NQUV2UFV', 'kmcQrYiYND'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, EY6SvIO0tKajU4b5R3.cs High entropy of concatenated method names: 'Okp2e0a1wq', 'j6r2bwlaGp', 'T1r7AaLPDi', 'mHV7IptprO', 'PoB2wKSBjy', 'e932lhmsJk', 'JmF2g0tiZJ', 'AuK2NkIpUy', 'kI02SCSI7r', 'LtI2aFGjMG'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, v0jJGmIIpG0BNsTM3f6.cs High entropy of concatenated method names: 'RIsrbQTvD0', 'ljkrz6V3uN', 'AFtRAK5Eic', 'z7DRIlMWkn', 'xYgRT9mOfH', 'vQhRmHk6ku', 'EJjRjjeGWV', 'L7rRd73w1Y', 'VgxRMVIjB5', 'mQxRCW4DCN'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, vsjNZlbPrKsvreki44.cs High entropy of concatenated method names: 'VVIrQG5QvO', 'y7QrKFWx8T', 'j6hrLbADkq', 'nAbrxULMGh', 'ma3rUr3Txo', 'Ww7r9sKUBh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, B9jTKcZxh61coGP9V4.cs High entropy of concatenated method names: 'fkmUks0N1c', 'ADZU2j4BLX', 'y8dUU5lCQa', 'i6cURcg3ut', 'XlrU6u82s9', 'eEKUFOv6M2', 'Dispose', 'Ksg7MolUyI', 'XBk7CN3LVT', 'c527QlOoow'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, QCyUa3TMjwiiaWqOsj.cs High entropy of concatenated method names: 'iu1fUd1XA', 'E8YVFROkV', 'C2cParlsj', 'K2Ao3oEr2', 'sr6DIDrdT', 'ETOHFUu5V', 'pgJ0Jk3uInEl8lQAmq', 'tiEbfqSWmME1CIou1K', 'eHD7U3wNS', 'fFor5CPXU'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, nw0ssXjKdKjQC2pJfj.cs High entropy of concatenated method names: 'xKOIxOde2U', 'ecQI9VGGXF', 'l7TIpehJh6', 'GwMIGvksFZ', 'mrqIkgSK97', 'D7jIJusA5T', 'rVT5JrcoWInAUrcpSM', 'oIqbYdBF05wcG9u97A', 'N36II59dcH', 'oEnImKVgm6'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, D0DI1YEYj1iElTSGet.cs High entropy of concatenated method names: 'cXxxYJeLep', 'DN6xucjKKR', 'gQXxf7SR5G', 'DuyxVTA7kI', 'FKPxvRyFpY', 's4GxPQcP68', 'O8OxoEMWrS', 'KKxxcKOUxF', 'OoBxDuPN0a', 'SrfxHpCPAI'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, NxUlCcNCwcOpVpDoJU.cs High entropy of concatenated method names: 'HMckhI6pNv', 'xpOkldyP5k', 'egCkNjPgLR', 'D4ckSXBIxv', 'VMtksLToot', 'JUOknGsWho', 'mUNkifb9fD', 'ShAk3kkYqh', 'ITxktK7Poa', 'C2Pk4MeTCg'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, UEklh5y52gZOKDCtkS.cs High entropy of concatenated method names: 'fH1UXtUXms', 'p6sUsJDZCa', 'UEKUncQphb', 'iOXUip7jKX', 'iZiU3pqBtW', 'x6OUtdILDT', 'QwMU4TsIMJ', 'CTtU57Rfb5', 'eoCUE7tTYZ', 'q42UhXT9t7'
Source: 0.2.Justificante de pago.exe.4e7a0f0.5.raw.unpack, YX1qR8sJC0UsMlZGTT.cs High entropy of concatenated method names: 'nIqwOoZIwWT1Bsv0T5D', 'lyiMweZx2D2w6WOe1Rp', 'GC3L7HMkgj', 'HjMLUXbWlf', 'oYGLrUi3eh', 'GOvGRwZPnVg2SPI74me', 'BraCgYZi9XSha1MEWJ3'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, NF0U3o85styr0UIlr0.cs High entropy of concatenated method names: 'c9c2pYRA8F', 'Wkd2GctYba', 'ToString', 'sNO2MaD6LW', 'qkB2C1KSlo', 'ShT2Q7V1e7', 'uOS2KDqSqv', 'AIT2LWQVvy', 'Q3e2xYkm1d', 'bdO29Zuu0X'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, RgVUj8C20DhfcyAVmn.cs High entropy of concatenated method names: 'Dispose', 'v1cIyoGP9V', 'tN7TsWOAuS', 'k7cwokAEsr', 'LjtIbLZM5y', 'q5mIzknXn3', 'ProcessDialogKey', 'y8qTAEklh5', 'M2gTIZOKDC', 'KkSTT6sjNZ'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, CUWBgd994v9yS7mZ9Z.cs High entropy of concatenated method names: 'Donmdf09OA', 'SysmMLI286', 'RnGmCIyf0n', 'H5KmQtFkB0', 'lWTmKxIpaT', 'Vu9mLKr46f', 'd6hmxPnuLE', 'ljDm9JDih3', 'QHlm0DBnIB', 'P8MmpYxk3p'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, UhWILV4gvDXpyhvuh8.cs High entropy of concatenated method names: 'eckxM9lrgs', 'fSTxQCtJXn', 'EuExLO3ShF', 'R6xLbRd4dg', 'rw3LzwIeGG', 'B8YxAs88yh', 't6RxIMaC9s', 'jiWxTB5ilp', 'mFAxmRyGNu', 's8dxjdf7GK'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, UOde2UcdcQVGGXFk6M.cs High entropy of concatenated method names: 'Be1CNh6hjE', 'aejCSPUoYR', 'VvNCaeendw', 'aNhC8mVEbX', 'x0BCqnUOd7', 'S7jCOwBSgf', 'psDCZWi4By', 'alACeSU1D6', 'txHCyXYGyI', 'xo6CbAYYq2'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, osFZBOHBZsAJcprqgS.cs High entropy of concatenated method names: 'XJbKvZolC6', 'lSJKo2xNkh', 'pn3QncsLhn', 'zQrQitLLFk', 'auBQ3HBlb6', 'RL0Qt7J4xM', 'C7wQ4EjtpE', 'k6vQ5UiCEl', 'GbrQEXJ8iA', 'Vk9QhRHWDy'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, pBnf86IjVDR59piLt5K.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Shj1Ubsbty', 'Dth1rQfeSW', 'kqj1R2ftye', 't7x11kv19E', 'mYn16ikrVc', 'FfI1WvGQQx', 'EQ41FwCjRQ'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, i97c7jXusA5TqhbY5O.cs High entropy of concatenated method names: 'To5LdbOqw7', 'ShELC4xhYb', 'N3NLK1SVP5', 'tZfLxkg22l', 'ahGL9sjgWK', 'cACKq6wWm9', 'qVWKOODsd9', 'AgEKZ27nMM', 'VyuKe552Dx', 'JKoKyJcupD'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, i1nYCkz6WPbk7gIdQr.cs High entropy of concatenated method names: 'IQsrPZVHvU', 'C0OrcuNYsc', 'kBdrDYJI8I', 'PUErXVJ8K3', 'mcVrsDsk7F', 'OsJri0u4tm', 'IFEr3jVbkn', 'HaLrFmKNiH', 'MnirY7yS7h', 'g1HruNB3To'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, dv1eXVguZjBKA2ksdb.cs High entropy of concatenated method names: 'X3ZBcetceY', 'UcqBDV4Dkx', 'jPiBXn4cRi', 'A6jBsf7N7V', 'GynBiRLFYX', 'r1PB3pZlZE', 'gW2B4oF07k', 'jiGB5ANtCF', 'qjgBhLrx3x', 'heBBwl6YV2'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, Gwsq6pD7TehJh6XwMv.cs High entropy of concatenated method names: 'n4RQVtD54T', 'HRkQP6o3UF', 'K0JQcw4LZF', 'FkfQDkZJqI', 'lWhQkn3MWB', 'hjYQJl171o', 'Y8BQ2FFAs4', 'z6pQ7W0IO7', 'E3NQUV2UFV', 'kmcQrYiYND'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, EY6SvIO0tKajU4b5R3.cs High entropy of concatenated method names: 'Okp2e0a1wq', 'j6r2bwlaGp', 'T1r7AaLPDi', 'mHV7IptprO', 'PoB2wKSBjy', 'e932lhmsJk', 'JmF2g0tiZJ', 'AuK2NkIpUy', 'kI02SCSI7r', 'LtI2aFGjMG'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, v0jJGmIIpG0BNsTM3f6.cs High entropy of concatenated method names: 'RIsrbQTvD0', 'ljkrz6V3uN', 'AFtRAK5Eic', 'z7DRIlMWkn', 'xYgRT9mOfH', 'vQhRmHk6ku', 'EJjRjjeGWV', 'L7rRd73w1Y', 'VgxRMVIjB5', 'mQxRCW4DCN'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, vsjNZlbPrKsvreki44.cs High entropy of concatenated method names: 'VVIrQG5QvO', 'y7QrKFWx8T', 'j6hrLbADkq', 'nAbrxULMGh', 'ma3rUr3Txo', 'Ww7r9sKUBh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, B9jTKcZxh61coGP9V4.cs High entropy of concatenated method names: 'fkmUks0N1c', 'ADZU2j4BLX', 'y8dUU5lCQa', 'i6cURcg3ut', 'XlrU6u82s9', 'eEKUFOv6M2', 'Dispose', 'Ksg7MolUyI', 'XBk7CN3LVT', 'c527QlOoow'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, QCyUa3TMjwiiaWqOsj.cs High entropy of concatenated method names: 'iu1fUd1XA', 'E8YVFROkV', 'C2cParlsj', 'K2Ao3oEr2', 'sr6DIDrdT', 'ETOHFUu5V', 'pgJ0Jk3uInEl8lQAmq', 'tiEbfqSWmME1CIou1K', 'eHD7U3wNS', 'fFor5CPXU'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, nw0ssXjKdKjQC2pJfj.cs High entropy of concatenated method names: 'xKOIxOde2U', 'ecQI9VGGXF', 'l7TIpehJh6', 'GwMIGvksFZ', 'mrqIkgSK97', 'D7jIJusA5T', 'rVT5JrcoWInAUrcpSM', 'oIqbYdBF05wcG9u97A', 'N36II59dcH', 'oEnImKVgm6'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, D0DI1YEYj1iElTSGet.cs High entropy of concatenated method names: 'cXxxYJeLep', 'DN6xucjKKR', 'gQXxf7SR5G', 'DuyxVTA7kI', 'FKPxvRyFpY', 's4GxPQcP68', 'O8OxoEMWrS', 'KKxxcKOUxF', 'OoBxDuPN0a', 'SrfxHpCPAI'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, NxUlCcNCwcOpVpDoJU.cs High entropy of concatenated method names: 'HMckhI6pNv', 'xpOkldyP5k', 'egCkNjPgLR', 'D4ckSXBIxv', 'VMtksLToot', 'JUOknGsWho', 'mUNkifb9fD', 'ShAk3kkYqh', 'ITxktK7Poa', 'C2Pk4MeTCg'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, UEklh5y52gZOKDCtkS.cs High entropy of concatenated method names: 'fH1UXtUXms', 'p6sUsJDZCa', 'UEKUncQphb', 'iOXUip7jKX', 'iZiU3pqBtW', 'x6OUtdILDT', 'QwMU4TsIMJ', 'CTtU57Rfb5', 'eoCUE7tTYZ', 'q42UhXT9t7'
Source: 0.2.Justificante de pago.exe.4dbd4d0.2.raw.unpack, YX1qR8sJC0UsMlZGTT.cs High entropy of concatenated method names: 'nIqwOoZIwWT1Bsv0T5D', 'lyiMweZx2D2w6WOe1Rp', 'GC3L7HMkgj', 'HjMLUXbWlf', 'oYGLrUi3eh', 'GOvGRwZPnVg2SPI74me', 'BraCgYZi9XSha1MEWJ3'
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00406128 ShellExecuteW,URLDownloadToFileW, 14_2_00406128
Drops PE files
Source: C:\Users\user\Desktop\Justificante de pago.exe File created: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYLngHLuy" /XML "C:\Users\user\AppData\Local\Temp\tmpEABB.tmp"
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 14_2_00419BC4

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 14_2_0041BCE3
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4796, type: MEMORYSTR
Delayed program exit found
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0040E54F Sleep,ExitProcess, 14_2_0040E54F
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: 1490000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: 3270000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: 3110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: 5830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: 6830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: 6960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: 7960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: A570000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: B570000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: BA00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: CA00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: 2AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: 4AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: 5120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: 6120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: 6250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: 7250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: 9DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: ADD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory allocated: 5120000 memory reserve | memory write watch Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 14_2_004198C2
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Justificante de pago.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8048 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8706 Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Window / User API: threadDelayed 9270 Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Window / User API: foregroundWindowGot 1769 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe API coverage: 4.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Justificante de pago.exe TID: 5036 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 428 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6616 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3228 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe TID: 3524 Thread sleep count: 207 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe TID: 3524 Thread sleep time: -103500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe TID: 5804 Thread sleep count: 223 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe TID: 5804 Thread sleep time: -669000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe TID: 5804 Thread sleep count: 9270 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe TID: 5804 Thread sleep time: -27810000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe TID: 1488 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 14_2_0040B335
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 14_2_0041B42F
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 14_2_0040B53A
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0044D5E9 FindFirstFileExA, 14_2_0044D5E9
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 14_2_004089A9
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00406AC2 FindFirstFileW,FindNextFileW, 14_2_00406AC2
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 14_2_00407A8C
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 14_2_00418C69
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 14_2_00408DA7
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 14_2_00406F06
Source: C:\Users\user\Desktop\Justificante de pago.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: C:\Users\user\Desktop\Justificante de pago.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_0043A65D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 14_2_0041BCE3
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00442554 mov eax, dword ptr fs:[00000030h] 14_2_00442554
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0044E92E GetProcessHeap, 14_2_0044E92E
Enables debug privileges
Source: C:\Users\user\Desktop\Justificante de pago.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_00434168
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_0043A65D
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_00433B44
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00433CD7 SetUnhandledExceptionFilter, 14_2_00433CD7
Source: C:\Users\user\Desktop\Justificante de pago.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Justificante de pago.exe"
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TYLngHLuy.exe"
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Justificante de pago.exe" Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TYLngHLuy.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Memory written: C:\Users\user\AppData\Roaming\TYLngHLuy.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 14_2_00410F36
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00418754 mouse_event, 14_2_00418754
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Justificante de pago.exe" Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TYLngHLuy.exe" Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYLngHLuy" /XML "C:\Users\user\AppData\Local\Temp\tmpEABB.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Process created: C:\Users\user\Desktop\Justificante de pago.exe "C:\Users\user\Desktop\Justificante de pago.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TYLngHLuy" /XML "C:\Users\user\AppData\Local\Temp\tmp529.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Process created: C:\Users\user\AppData\Roaming\TYLngHLuy.exe "C:\Users\user\AppData\Roaming\TYLngHLuy.exe" Jump to behavior
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerCD\
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerGT
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerpc]Tem>
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerCD\:\P
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager7643
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager?
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerCD\c
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager7643tss
Source: Justificante de pago.exe, 00000009.00000002.4543208869.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.dr Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00433E0A cpuid 14_2_00433E0A
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: EnumSystemLocalesW, 14_2_004470AE
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: GetLocaleInfoW, 14_2_004510BA
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 14_2_004511E3
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: GetLocaleInfoW, 14_2_004512EA
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 14_2_004513B7
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: GetLocaleInfoW, 14_2_00447597
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: GetLocaleInfoA, 14_2_0040E679
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 14_2_00450A7F
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: EnumSystemLocalesW, 14_2_00450CF7
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: EnumSystemLocalesW, 14_2_00450D42
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: EnumSystemLocalesW, 14_2_00450DDD
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 14_2_00450E6A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Justificante de pago.exe Queries volume information: C:\Users\user\Desktop\Justificante de pago.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Justificante de pago.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Queries volume information: C:\Users\user\AppData\Roaming\TYLngHLuy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 14_2_00434010
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0041A7A2 GetUserNameW, 14_2_0041A7A2
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: 14_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 14_2_0044800F
Source: C:\Users\user\Desktop\Justificante de pago.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2180128990.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4543491647.0000000002E6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2203488669.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 5696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4676, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 14_2_0040B21B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 14_2_0040B335
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: \key3.db 14_2_0040B335

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\Justificante de pago.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-14OQCD Jump to behavior
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-14OQCD Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.TYLngHLuy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3bcab68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.500b968.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Justificante de pago.exe.4f93548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.TYLngHLuy.exe.3b52748.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2180128990.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4543208869.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2179414949.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.4543491647.0000000002E6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2203488669.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2142961583.0000000004F93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Justificante de pago.exe PID: 5696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TYLngHLuy.exe PID: 4676, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\AppData\Roaming\TYLngHLuy.exe Code function: cmd.exe 14_2_00405042
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1571282 Sample: Justificante de pago.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 12 other signatures 2->56 7 TYLngHLuy.exe 5 2->7         started        10 Justificante de pago.exe 7 2->10         started        process3 file4 58 Multi AV Scanner detection for dropped file 7->58 60 Contains functionality to bypass UAC (CMSTPLUA) 7->60 62 Contains functionalty to change the wallpaper 7->62 66 6 other signatures 7->66 13 TYLngHLuy.exe 7->13         started        16 schtasks.exe 1 7->16         started        40 C:\Users\user\AppData\Roaming\TYLngHLuy.exe, PE32 10->40 dropped 42 C:\Users\...\TYLngHLuy.exe:Zone.Identifier, ASCII 10->42 dropped 44 C:\Users\user\AppData\Local\...\tmpEABB.tmp, XML 10->44 dropped 46 C:\Users\...\Justificante de pago.exe.log, ASCII 10->46 dropped 64 Adds a directory exclusion to Windows Defender 10->64 18 Justificante de pago.exe 3 3 10->18         started        22 powershell.exe 23 10->22         started        24 powershell.exe 23 10->24         started        26 schtasks.exe 1 10->26         started        signatures5 process6 dnsIp7 28 conhost.exe 16->28         started        48 127.0.0.1 unknown unknown 18->48 38 C:\ProgramData\remcos\logs.dat, data 18->38 dropped 68 Detected Remcos RAT 18->68 70 Installs a global keyboard hook 18->70 72 Loading BitLocker PowerShell Module 22->72 30 WmiPrvSE.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
1 true
  • Avira URL Cloud: safe
 unknown