Windows Analysis Report
TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe

Overview

General Information

Sample name: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
(renamed file extension from bin to exe)
Original sample name: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.bin
Analysis ID: 1559772
MD5: fb652b5ff3a97ebbb8c9bf69c7010c1c
SHA1: 49acdeb895d801dd4439fad35337b19baca56d65
SHA256: 4d37f7aea76ccb788710e7d3a8d2553964142a835115a9f0768f33b286400352
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Injects a PE file into a foreign processes
Installs a global keyboard hook
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.881970203.0000000000D24000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["alfredoperezpu1405.con-ip.com:2500:1", "alfredoperezpu1405.con-ip.com:1663:1"], "Assigned name": "PRAGAA", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NK89SF", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Multi AV Scanner detection for submitted file
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe ReversingLabs: Detection: 48%
Yara detected Remcos RAT
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.882045254.000000000283F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.881970203.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3444, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.4% probability
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_bf76706f-1

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3320, type: MEMORYSTR
Uses 32bit PE files
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: alfredoperezpu1405.con-ip.com
Source: Malware configuration extractor URLs: alfredoperezpu1405.con-ip.com
Source: global traffic DNS traffic detected: DNS query: alfredoperezpu1405.con-ip.com
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://www.indyproject.org/
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://www.safelyremove.com
Source: ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/allVersions.htmP
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/allVersions.htmU
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/blog/how-to-use-skins/
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/blog/how-to-use-skins/U
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/common/convert-license-key-svc?key=
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/common/userdebugreport.phpU
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/download.htm?sm=CrackedVer_WrArch
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/download.htm?sm=ServiceWrArch
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/download.htm?sm=ServiceWrVerU
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/enterkey.htm?sm=regform
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/enterkey.htmU
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/order.htm
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/readaboutpro.htmU
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/restoreLicKey.htm?sm=regformU
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr String found in binary or memory: http://zentimo.com/versioninfo/vernew.htm?

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Jump to behavior
Yara detected Keylogger Generic
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3320, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.882045254.000000000283F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.881970203.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3444, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3320, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Drops large PE files
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File dump: ZentimoVideo.exe.0.dr 977447173 Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Process Stats: CPU usage > 49%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005264C0 NtQueryDefaultLocale, 0_2_005264C0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524F44 NtQueryDefaultLocale, 0_2_00524F44
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00526806 NtQueryDefaultLocale, 0_2_00526806
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005264F8 NtQueryDefaultLocale, 0_2_005264F8
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524CE8 NtQueryDefaultLocale, 0_2_00524CE8
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525D4F NtQueryDefaultLocale, 0_2_00525D4F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525D76 NtQueryDefaultLocale, 0_2_00525D76
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525992 NtQueryDefaultLocale, 0_2_00525992
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525DB1 NtQueryDefaultLocale, 0_2_00525DB1
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524DB7 NtQueryDefaultLocale, 0_2_00524DB7
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524A5E NtQueryDefaultLocale, 0_2_00524A5E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524A6F NtQueryDefaultLocale, 0_2_00524A6F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052522E NtQueryDefaultLocale, 0_2_0052522E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524EF8 NtQueryDefaultLocale, 0_2_00524EF8
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524284 NtQueryDefaultLocale, 0_2_00524284
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005256BC NtQueryDefaultLocale, 0_2_005256BC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525AAB NtQueryDefaultLocale, 0_2_00525AAB
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005262AE NtQueryDefaultLocale, 0_2_005262AE
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525BCC NtQueryDefaultLocale, 0_2_00525BCC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524794 NtQueryDefaultLocale, 0_2_00524794
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525FAB NtQueryDefaultLocale, 0_2_00525FAB
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BADE5D NtCreateThreadEx, 0_2_00BADE5D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAE15A NtCreateThreadEx, 0_2_00BAE15A
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BADABC NtCreateThreadEx, 0_2_00BADABC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAD631 NtCreateThreadEx, 0_2_00BAD631
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAD677 NtCreateThreadEx, 0_2_00BAD677
Detected potential crypto function
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005264C0 0_2_005264C0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052CA3B 0_2_0052CA3B
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524F44 0_2_00524F44
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052C44C 0_2_0052C44C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00527860 0_2_00527860
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052A46B 0_2_0052A46B
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00528C06 0_2_00528C06
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00529824 0_2_00529824
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005264F8 0_2_005264F8
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052D0B7 0_2_0052D0B7
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005290A6 0_2_005290A6
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00527D71 0_2_00527D71
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052B57C 0_2_0052B57C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00523D1B 0_2_00523D1B
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052A12F 0_2_0052A12F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525DB1 0_2_00525DB1
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524DB7 0_2_00524DB7
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052D1BE 0_2_0052D1BE
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00528A71 0_2_00528A71
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052B2F5 0_2_0052B2F5
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524284 0_2_00524284
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005256BC 0_2_005256BC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525AAB 0_2_00525AAB
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005262AE 0_2_005262AE
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052CEAC 0_2_0052CEAC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052BB50 0_2_0052BB50
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052C35B 0_2_0052C35B
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00528F59 0_2_00528F59
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00527B00 0_2_00527B00
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525BCC 0_2_00525BCC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00524794 0_2_00524794
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00523F87 0_2_00523F87
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0052B7B2 0_2_0052B7B2
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_005283AB 0_2_005283AB
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00525FAB 0_2_00525FAB
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B60D45 0_2_00B60D45
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B64B41 0_2_00B64B41
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61CB2 0_2_00B61CB2
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B634A0 0_2_00B634A0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62495 0_2_00B62495
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61899 0_2_00B61899
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B620F3 0_2_00B620F3
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B634EC 0_2_00B634EC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B620CF 0_2_00B620CF
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61C3A 0_2_00B61C3A
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61C2D 0_2_00B61C2D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62018 0_2_00B62018
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63C19 0_2_00B63C19
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62001 0_2_00B62001
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62473 0_2_00B62473
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62C65 0_2_00B62C65
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B629B5 0_2_00B629B5
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61DB2 0_2_00B61DB2
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B615BE 0_2_00B615BE
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B639BD 0_2_00B639BD
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B619A1 0_2_00B619A1
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B625AA 0_2_00B625AA
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6219B 0_2_00B6219B
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63D85 0_2_00B63D85
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B615E6 0_2_00B615E6
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B641E7 0_2_00B641E7
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B619E2 0_2_00B619E2
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B631ED 0_2_00B631ED
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63DD2 0_2_00B63DD2
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B621D1 0_2_00B621D1
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B631D1 0_2_00B631D1
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B621DC 0_2_00B621DC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B629DD 0_2_00B629DD
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B659DA 0_2_00B659DA
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B625C6 0_2_00B625C6
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B611C5 0_2_00B611C5
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B631CC 0_2_00B631CC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62532 0_2_00B62532
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6210C 0_2_00B6210C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62175 0_2_00B62175
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6117E 0_2_00B6117E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6255F 0_2_00B6255F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61E84 0_2_00B61E84
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61E81 0_2_00B61E81
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6368A 0_2_00B6368A
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63AF7 0_2_00B63AF7
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61AF0 0_2_00B61AF0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61AFD 0_2_00B61AFD
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B636F9 0_2_00B636F9
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63AD9 0_2_00B63AD9
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63EC3 0_2_00B63EC3
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62A34 0_2_00B62A34
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6363E 0_2_00B6363E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6163D 0_2_00B6163D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63A13 0_2_00B63A13
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61618 0_2_00B61618
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63A0E 0_2_00B63A0E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62A0F 0_2_00B62A0F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6320D 0_2_00B6320D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61E6E 0_2_00B61E6E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63E59 0_2_00B63E59
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61A42 0_2_00B61A42
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63E4B 0_2_00B63E4B
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63FB6 0_2_00B63FB6
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B657A5 0_2_00B657A5
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61F95 0_2_00B61F95
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63F91 0_2_00B63F91
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61F84 0_2_00B61F84
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62F83 0_2_00B62F83
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61FF9 0_2_00B61FF9
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B633E8 0_2_00B633E8
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61BD4 0_2_00B61BD4
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62FC0 0_2_00B62FC0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63B36 0_2_00B63B36
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63B3C 0_2_00B63B3C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6332D 0_2_00B6332D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63F11 0_2_00B63F11
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B61B75 0_2_00B61B75
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B62F64 0_2_00B62F64
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63F5F 0_2_00B63F5F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63346 0_2_00B63346
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B63B46 0_2_00B63B46
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B70259 0_2_00B70259
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B6FF28 0_2_00B6FF28
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B76018 0_2_00B76018
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B794A5 0_2_00B794A5
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B79380 0_2_00B79380
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B795FD 0_2_00B795FD
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B794FB 0_2_00B794FB
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B79719 0_2_00B79719
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B76551 0_2_00B76551
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9CC48 0_2_00B9CC48
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAA220 0_2_00BAA220
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BADE5D 0_2_00BADE5D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAB0B0 0_2_00BAB0B0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B4B3 0_2_00B9B4B3
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9BC8E 0_2_00B9BC8E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAACF8 0_2_00BAACF8
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAC8D5 0_2_00BAC8D5
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B036 0_2_00B9B036
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B80A 0_2_00B9B80A
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B40E 0_2_00B9B40E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B07E 0_2_00B9B07E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAD042 0_2_00BAD042
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAC1CD 0_2_00BAC1CD
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B1C7 0_2_00B9B1C7
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B8512B 0_2_00B8512B
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B524 0_2_00B9B524
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BA0D05 0_2_00BA0D05
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BA9965 0_2_00BA9965
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAD149 0_2_00BAD149
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAA947 0_2_00BAA947
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BACE95 0_2_00BACE95
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B28E 0_2_00B9B28E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAAECF 0_2_00BAAECF
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9A239 0_2_00B9A239
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9A22A 0_2_00B9A22A
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B96E11 0_2_00B96E11
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9CA5D 0_2_00B9CA5D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAEA48 0_2_00BAEA48
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9BBA7 0_2_00B9BBA7
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BABB9F 0_2_00BABB9F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAAF95 0_2_00BAAF95
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B7F3 0_2_00B9B7F3
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9BBC0 0_2_00B9BBC0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAC734 0_2_00BAC734
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAD329 0_2_00BAD329
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B72D 0_2_00B9B72D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BAA71E 0_2_00BAA71E
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B84378 0_2_00B84378
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B9B75C 0_2_00B9B75C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD181A 0_2_00BD181A
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD0864 0_2_00BD0864
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD6ACC 0_2_00BD6ACC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD337B 0_2_00BD337B
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BC9880 0_2_00BC9880
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BCF826 0_2_00BCF826
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD0822 0_2_00BD0822
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BC101C 0_2_00BC101C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD0812 0_2_00BD0812
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BBA80B 0_2_00BBA80B
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD7133 0_2_00BD7133
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BDAAB0 0_2_00BDAAB0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD729C 0_2_00BD729C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BDA281 0_2_00BDA281
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB7A1C 0_2_00BB7A1C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB7A0D 0_2_00BB7A0D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB7A06 0_2_00BB7A06
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD3A64 0_2_00BD3A64
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BBABA9 0_2_00BBABA9
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD0397 0_2_00BD0397
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BDCBCD 0_2_00BDCBCD
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD13CF 0_2_00BD13CF
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BBDBC0 0_2_00BBDBC0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD633A 0_2_00BD633A
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD9B5C 0_2_00BD9B5C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BDC49F 0_2_00BDC49F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BBA49D 0_2_00BBA49D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD8C29 0_2_00BD8C29
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD9DEE 0_2_00BD9DEE
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB75EC 0_2_00BB75EC
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BC0DC5 0_2_00BC0DC5
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BCED29 0_2_00BCED29
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB756C 0_2_00BB756C
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BC4EBF 0_2_00BC4EBF
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BCEE82 0_2_00BCEE82
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB7E33 0_2_00BB7E33
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB7E20 0_2_00BB7E20
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD1621 0_2_00BD1621
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD8E14 0_2_00BD8E14
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BDC64A 0_2_00BDC64A
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD77A4 0_2_00BD77A4
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BC9F84 0_2_00BC9F84
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB6F81 0_2_00BB6F81
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BD6F3C 0_2_00BD6F3C
Sample file is different than original file name gathered from version info
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000002.405329214.0000000002BBF000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameZentimo.exe0 vs TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000002.405329214.0000000002649000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameZentimo.exe0 vs TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000000.352403064.0000000000A22000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameZentimo.exe0 vs TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000000.352200957.000000000041A000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Binary or memory string: OriginalFilename vs TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Binary or memory string: OriginalFilenameZentimo.exe0 vs TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe
Uses 32bit PE files
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3320, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: ZentimoVideo.exe.0.dr Binary string: \Device\Harddisk%d\Partition%dU
Source: ZentimoVideo.exe.0.dr Binary string: \Device\HarddiskU
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@3/2@746/0
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File created: C:\Users\user\Music\ZentimoDesignerUpdater Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-NK89SF
Source: Yara match File source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, type: SAMPLE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2630000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.352200957.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405329214.0000000002630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe ReversingLabs: Detection: 48%
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: NATS-SEFI-ADD
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: NATS-DANO-ADD
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: jp-ocr-b-add
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: jp-ocr-hand-add
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: ISO_6937-2-add
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: <html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: n<html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: LAutomatically mount/dismount TrueCrypt volumes on device insertion/stopping;
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: LAutomatically mount/dismount TrueCrypt volumes on device insertion/stopping;
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: Registration is successful)Entered license information is not valid!HAttention! A 32-bit version of "%s" service is run under Windows 64-bit!6Attention! Too old version of "%s" service is running!xPlease download the program from our web-site and re-install it, otherwise some program functions will work incorrectly.iThe device stopping/returning process is not complete. Do you want to close the program now all the same?yIt is recommended to wait for some time until the program finishes all the operations and try to close the program again.%Do you want to close the program now?
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: before-stop-16
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: after-stop-16
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: before-stop-32
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: after-stop-32
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: device-stop-16
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: forced-stop
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe String found in binary or memory: device-stop
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File read: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe "C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe"
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Process created: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe "C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe"
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Process created: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe "C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe" Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: k7rn7l32.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: ntd3ll.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: shcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Section loaded: rasadhlp.dll Jump to behavior
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static file information: File size 7649280 > 1048576
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x503800
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x213600
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static PE information: More than 200 imports for user32.dll
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static PE information: More than 200 imports for gdiplus.dll
PE file contains an invalid checksum
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static PE information: real checksum: 0x6c1f12 should be: 0x74d38f
PE file contains sections with non-standard names
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Static PE information: section name: .didata
Source: ZentimoVideo.exe.0.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0051AD1C push ds; retf 0_2_0051AD1D
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0051EDA3 push esi; ret 0_2_0051EDA4
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_0051EE94 pushfd ; retn 0053h 0_2_0052E5C5
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B87C17 push eax; retf 0_2_00B87C19
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B879FA push esp; retf 0_2_00B879FF
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B87A6E push eax; retf 0_2_00B87A6F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B87A5F push esp; retf 0_2_00B87A60
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B85FC5 pushfd ; retf 0_2_00B85FC7
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00B85F5F pushfd ; retf 0_2_00B85F61
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB91A9 pushad ; iretd 0_2_00BB91D3
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB923E pushad ; iretd 0_2_00BB923F
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB9496 push eax; iretd 0_2_00BB94B1
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Code function: 0_2_00BB9465 push esp; iretd 0_2_00BB9466
Drops PE files
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe File created: C:\Users\user\Music\ZentimoDesignerUpdater\ZentimoVideo.exe Jump to dropped file
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZentimoDesignerEditor Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZentimoDesignerEditor Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Window / User API: threadDelayed 730 Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Window / User API: threadDelayed 8838 Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Window / User API: foregroundWindowGot 1758 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Dropped PE file which has not been started: C:\Users\user\Music\ZentimoDesignerUpdater\ZentimoVideo.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe TID: 3464 Thread sleep count: 82 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe TID: 3464 Thread sleep time: -41000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe TID: 3468 Thread sleep count: 730 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe TID: 3468 Thread sleep time: -2190000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe TID: 3468 Thread sleep count: 8838 > 30 Jump to behavior
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe TID: 3468 Thread sleep time: -26514000s >= -30000s Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Process created: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe "C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe" Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Memory written: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe base: 1C0000 value starts with: 4D5A Jump to behavior
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, ZentimoVideo.exe.0.dr Binary or memory string: Shell_TrayWnd
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000002.00000002.881970203.0000000000D24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerSF\
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000002.00000002.881970203.0000000000D24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managersic\ZentimoDesignerUpdater\ZentimoVideo.exe
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000002.00000002.881970203.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.dr Binary or memory string: [Program Manager]
AV process strings found (often used to terminate AV products)
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000002.405329214.0000000002649000.00000004.00001000.00020000.00000000.sdmp, TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000000.352200957.000000000041A000.00000020.00000001.01000000.00000003.sdmp, ZentimoVideo.exe.0.dr Binary or memory string: Avp.exe
Source: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000002.405329214.0000000002649000.00000004.00001000.00020000.00000000.sdmp, TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe, 00000000.00000000.352200957.000000000041A000.00000020.00000001.01000000.00000003.sdmp, ZentimoVideo.exe.0.dr Binary or memory string: drweb32w.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.882045254.000000000283F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.881970203.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3444, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-NK89SF Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.adf40a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.882045254.000000000283F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.881970203.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405058019.00000000002F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.405178502.0000000000ADF000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe PID: 3444, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559772 Sample: TRANSFERENCIA ACH NO 987685... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 20 alfredoperezpu1405.con-ip.com 2->20 24 Found malware configuration 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 6 other signatures 2->30 7 TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe 1 2 2->7         started        signatures3 process4 file5 16 C:\Users\user\Music\...\ZentimoVideo.exe, PE32 7->16 dropped 32 Injects a PE file into a foreign processes 7->32 11 TRANSFERENCIA ACH NO 987685745658790976587465789.exe.exe 3 3 7->11         started        signatures6 process7 dnsIp8 22 alfredoperezpu1405.con-ip.com 11->22 18 C:\ProgramData\remcos\logs.dat, data 11->18 dropped 34 Detected Remcos RAT 11->34 36 Installs a global keyboard hook 11->36 file9 signatures10
No contacted IP infos

Contacted Domains

Name IP Active
alfredoperezpu1405.con-ip.com 0.0.0.0 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
alfredoperezpu1405.con-ip.com true
  • Avira URL Cloud: safe
 unknown