Windows Analysis Report
comprobante de transferencia.exe

ID:	1411000
Product:	CloudBasic
Start time:	15:04:15
Start date:	18.03.2024
Sample:	comprobante de transferencia.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	8a1422827315b9db63cd6b399a454fab
SHA1:	235c6e8149097f00ac26e70b0022c7b5a2f49c1d
SHA256:	2d49a4fcfdf17af26d78ec4eea4eb75176ab9918c7644855d4d80454ce7382c0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A4DD044BCD94E9B3370CCF095B31F896	17C78201323AB2095BC53184AA8267C9187D5173	2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Fjeldklftens38.bio	data	910B94BB45EC253A90F4CA8FA56BC584	ED29E140FE94207B697953B8D1466F7C02F4E60E	BE72DFD9F250BBD69DCFD4508D08A327CBB9B3FBB11964FD5F66BEE35A9FD5C9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Gaudiest.pre	data	9CB88B1AE7827818B29E20B15C82A937	A60DFA07CBF65C96A3C7019D99452F138A12746E	445AA65354C5F1118FE748FE21ACFA11A69400398DD1CEAE2362242B187CF754
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Morel.Off24	data	9140973AC47B93AF67ACBA70D8840AD4	5431473058B0F1A06832A7C4AE8525C976620618	7E665361FD0DB8138B3CF34029342C553CFCD80330F28CBC214423E672BB20F7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Renoveringers\Buddhisme\Indordningers207\Faultiest\gagers.rec	data	B013C10185F365E645B1A8A4090DE5AF	20F0178AD225AEC8785EA741E82729E6D816CEF0	0A403F11C29743BFFF4A5CBB13DA533121BC9CEC2F2BD38473F3939895422E4C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Rygklappers.Bly	data	005464858B128A2A613D56386FA5297D	03CD9F513B21FADBD019F3F3AA2D2D2B9A14116E	95E1306E687940A010BE1CD61F849601C2987399AA659DC86D5707BEA3BA76E1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Undervisningsform.bek	data	93A04CCDF51474B877C9414AE5AD2760	1321C10A4CC69A33235C87ABF2779A57619533BB	D9DCAF7157CB66EFE264672D39EA0D004DD2CECDAC777BDB857509AEDDF040FF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\floddeltaets.mar	data	1171715CBB2206BFF607138FEF73877F	D7059E4A741A345239A17FE037C8605D4219E28C	27A8BF54AD65E1DC2C3C88BE4A56792C4960365F12BFF185676D0D4966AE3B31
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\kannevasen.txt	ASCII text, with CRLF line terminators	9F716DE9908957BD324DCC4ADA5A33F7	5AA93CFD2DF40B9ED1F46A728EEE203258DC05DD	CDBC11AE1032690D95484A15A78C94AECFEE10103E26372894547D7B25C01A94

AV Detection

Source: comprobante de transferencia.exe

Avira: detected

Source: comprobante de transferencia.exe

ReversingLabs: Detection: 63%

Cryptography

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_36449100 CryptUnprotectData,		2_2_36449100
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_364498F8 CryptUnprotectData,		2_2_364498F8

Compliance

Source: comprobante de transferencia.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.251.40.142:443 -> 192.168.11.20:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.41.1:443 -> 192.168.11.20:49785 version: TLS 1.2

Source: comprobante de transferencia.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040635D FindFirstFileW,FindClose,		0_2_0040635D
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_0040580B
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_004027FB FindFirstFileW,		0_2_004027FB
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040635D FindFirstFileW,FindClose,		2_2_0040635D
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		2_2_0040580B
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_004027FB FindFirstFileW,		2_2_004027FB

Networking

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: comprobante de transferencia.exe	String found in binary or memory: http://crl.apple.com/root.crl0
Source: comprobante de transferencia.exe	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: comprobante de transferencia.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: comprobante de transferencia.exe	String found in binary or memory: http://www.apple.com/appleca0
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/Ar=
Source: comprobante de transferencia.exe, 00000002.00000002.7687982111.0000000005740000.00000004.00001000.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k
Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7kfyQ
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1ZlWTWjrz48C7pJUuwTOgfOjeHFK1G_7k&export=download/r
Source: comprobante de transferencia.exe, 00000002.00000003.2916893113.0000000003AA1000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, comprobante de transferencia.exe, 00000002.00000003.2903958987.0000000003AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: comprobante de transferencia.exe	String found in binary or memory: https://www.apple.com/appleca/0
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: comprobante de transferencia.exe, 00000002.00000003.2903907971.0000000003AFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443

Source: unknown	HTTPS traffic detected: 142.251.40.142:443 -> 192.168.11.20:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.41.1:443 -> 192.168.11.20:49785 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_004052B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052B8

System Summary

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040326A
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_0040326A

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_004066E2		0_2_004066E2
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_00404AF5		0_2_00404AF5
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_004066E2		2_2_004066E2
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_00404AF5		2_2_00404AF5
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0015B010		2_2_0015B010
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0015D0F8		2_2_0015D0F8
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0015A3F8		2_2_0015A3F8
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_00156530		2_2_00156530
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_001541A7		2_2_001541A7
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_00156522		2_2_00156522
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0015A740		2_2_0015A740
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_36443280		2_2_36443280
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644E298		2_2_3644E298
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644F078		2_2_3644F078
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644C158		2_2_3644C158
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_364465F8		2_2_364465F8
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_36442E7A		2_2_36442E7A
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644B321		2_2_3644B321
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3644A580		2_2_3644A580
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_37055150		2_2_37055150
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_370541EA		2_2_370541EA
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_37050D30		2_2_37050D30
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_37057360		2_2_37057360
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_37050648		2_2_37050648
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_3714B4E0		2_2_3714B4E0

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: String function: 00402BBF appears 51 times

Source: comprobante de transferencia.exe

Static PE information: invalid certificate

Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs comprobante de transferencia.exe
Source: comprobante de transferencia.exe, 00000002.00000002.7699759602.0000000034019000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs comprobante de transferencia.exe

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: oleacc.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: shfolder.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Section loaded: wintypes.dll			Jump to behavior

Source: comprobante de transferencia.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@3/9@2/2

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040326A
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_0040326A

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_00404579 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404579

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_00402095 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_00402095

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File created: C:\Users\user\Pictures\industrialisere

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\nss383C.tmp

Jump to behavior

Source: comprobante de transferencia.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: comprobante de transferencia.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File read: C:\Users\user\Desktop\comprobante de transferencia.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\comprobante de transferencia.exe C:\Users\user\Desktop\comprobante de transferencia.exe
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process created: C:\Users\user\Desktop\comprobante de transferencia.exe C:\Users\user\Desktop\comprobante de transferencia.exe
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process created: C:\Users\user\Desktop\comprobante de transferencia.exe C:\Users\user\Desktop\comprobante de transferencia.exe			Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: comprobante de transferencia.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: Yara match

File source: 00000000.00000002.2920518142.0000000005056000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_10002DE0 push eax; ret		0_2_10002E0E
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_00150C6D push edi; retf		2_2_00150C7A

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Memory allocated: 110000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Memory allocated: 34210000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Memory allocated: 36210000 memory reserve | memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk3D2F.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

API coverage: 2.3 %

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040635D FindFirstFileW,FindClose,		0_2_0040635D
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_0040580B
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 0_2_004027FB FindFirstFileW,		0_2_004027FB
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040635D FindFirstFileW,FindClose,		2_2_0040635D
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		2_2_0040580B
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Code function: 2_2_004027FB FindFirstFileW,		2_2_004027FB

Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: comprobante de transferencia.exe, 00000002.00000002.7687280921.0000000003A85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_00405648 CreateDirectoryW,GetLastError,GetLastError,LdrInitializeThunk,SetFileSecurityW,GetLastError,

0_2_00405648

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Process created: C:\Users\user\Desktop\comprobante de transferencia.exe C:\Users\user\Desktop\comprobante de transferencia.exe

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Users\user\Desktop\comprobante de transferencia.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040326A

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: C:\Users\user\Desktop\comprobante de transferencia.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles			Jump to behavior
Source: C:\Users\user\Desktop\comprobante de transferencia.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior

Source: Yara match	File source: 00000002.00000002.7701035769.0000000034211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: comprobante de transferencia.exe PID: 8496, type: MEMORYSTR