Edit tour

Windows Analysis Report
Cotizaci#U00f3n____________________pdf.exe

Overview

General Information

Sample name:	Cotizaci#U00f3n____________________pdf.exe renamed because original name is a hash value
Original sample name:	Cotizacin____________________pdf.exe
Analysis ID:	1595172
MD5:	4089494500889c8e9a8b62f1b6f3ce9a
SHA1:	254d9517e2ee35689f17c97e4e8778b7554e2f4a
SHA256:	799332983f0739446bd4e37db4163529d016947426bdc4ee519dc2e5976445f7
Tags:	exeuser-adrian__luca
Infos:

Detection

DarkCloud

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected DarkCloud

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Writes or reads registry keys via WMI

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Cotizaci#U00f3n____________________pdf.exe (PID: 7820 cmdline: "C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe" MD5: 4089494500889C8E9A8B62F1B6F3CE9A)

Cotizaci#U00f3n____________________pdf.exe (PID: 8004 cmdline: "C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe" MD5: 4089494500889C8E9A8B62F1B6F3CE9A)

flaminical.exe (PID: 7636 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe" MD5: 4089494500889C8E9A8B62F1B6F3CE9A)

flaminical.exe (PID: 6864 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe" MD5: 4089494500889C8E9A8B62F1B6F3CE9A)

flaminical.exe (PID: 6156 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe" MD5: 4089494500889C8E9A8B62F1B6F3CE9A)

flaminical.exe (PID: 6844 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe" MD5: 4089494500889C8E9A8B62F1B6F3CE9A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "SMTP", "To Address": "gmartinez@dijisa.com.pe", "From Address": "charleskingsley91@gmail.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x493c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000009.00000002.1576094212.0000000004288000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000009.00000002.1576094212.0000000003625000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000009.00000002.1576094212.0000000003625000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x320b4:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.1320598950.0000000004773000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: Cotizaci#U00f3n____________________pdf.exe PID: 7820	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: Cotizaci#U00f3n____________________pdf.exe PID: 7820	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: flaminical.exe PID: 7636	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: flaminical.exe PID: 6864	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: flaminical.exe PID: 6156	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: flaminical.exe PID: 6156	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.flaminical.exe.42c1448.4.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
9.2.flaminical.exe.4288b18.2.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Cotizaci#U00f3n____________________pdf.exe.4a1ded8.3.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
9.2.flaminical.exe.42e9b38.0.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Cotizaci#U00f3n____________________pdf.exe.4709990.0.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Cotizaci#U00f3n____________________pdf.exe.4709990.0.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
9.2.flaminical.exe.42c1448.4.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
9.2.flaminical.exe.4288b18.2.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
9.2.flaminical.exe.42e9b38.0.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Cotizaci#U00f3n____________________pdf.exe.4a1ded8.3.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.Cotizaci#U00f3n____________________pdf.exe.48234a0.2.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe, ProcessId: 8004, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\firebrick

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T14:54:28.010508+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49741	162.55.60.2	80	TCP
2025-01-20T14:54:45.555981+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49858	162.55.60.2	80	TCP
2025-01-20T14:54:52.683931+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49903	162.55.60.2	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Cotizaci#U00f3n____________________pdf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Avira: detection malicious, Label: HEUR/AGEN.1309861

Found malware configuration

Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4709990.0.raw.unpack

Malware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "To Address": "gmartinez@dijisa.com.pe", "From Address": "charleskingsley91@gmail.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: Cotizaci#U00f3n____________________pdf.exe	ReversingLabs: Detection: 65%
Source: Cotizaci#U00f3n____________________pdf.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Cotizaci#U00f3n____________________pdf.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Cookies
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: \Default\Login Data
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: \Login Data
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Password :
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: SMTP Email Address
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: NNTP Email Address
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Email
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: HTTPMail User Name
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: HTTPMail Server
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Password
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^3[47][0-9]{13}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^389[0-9]{11}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^63[7-9][0-9]{13}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Visa Card
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^9[0-9]{15}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Mastercard
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^(62[0-9]{14,17})$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Visa Master Card
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: \logins.json
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Foxmail.exe
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: mail\
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: \AccCfg\Accounts.tdat
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: EnableSignature
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: Application : FoxMail
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: encryptedUsername
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: logins
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: encryptedPassword
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: charleskingsley91@gmail.com
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword

Source: Cotizaci#U00f3n____________________pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Cotizaci#U00f3n____________________pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: W.pdb4 source: Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1320598950.0000000004773000.00000004.00000800.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2543341625.0000000000436000.00000040.00000400.00020000.00000000.sdmp, flaminical.exe, 00000009.00000002.1576094212.0000000004288000.00000004.00000800.00020000.00000000.sdmp

Source: Joe Sandbox View

IP Address: 162.55.60.2 162.55.60.2

Source: unknown

DNS query: name: showip.net

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49741 -> 162.55.60.2:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49858 -> 162.55.60.2:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49903 -> 162.55.60.2:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Code function: 8_2_00432DF0 InternetOpenA,InternetOpenUrlA,InternetReadFile,

8_2_00432DF0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net

Source: global traffic

DNS traffic detected: DNS query: showip.net

Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2549219357.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schema.org
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2545224413.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net
Source: flaminical.exe, 00000008.00000002.2545224413.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net.
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2545224413.0000000001188000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2545224413.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2545224413.0000000001204000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2545952274.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2544624018.0000000001458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/
Source: flaminical.exe, 0000000A.00000002.2545952274.00000000014FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/6
Source: flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/L
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/Pl
Source: flaminical.exe, 00000008.00000002.2545224413.0000000001188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/_1
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/jl
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.net/z
Source: flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netD
Source: flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.nete
Source: flaminical.exe, 00000008.00000002.2545224413.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netllZ
Source: flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://showip.netth
Source: flaminical.exe, 00000008.00000002.2546814897.000000000124E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.maxmind.com
Source: WebData.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: WebData.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: WebData.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: WebData.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: WebData.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: WebData.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: WebData.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2545950626.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2545950626.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2546339255.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2549168648.0000000003F20000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2546814897.000000000124E000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2546433872.000000000122A000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2548709971.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2546433872.000000000122D000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2549166031.0000000004480000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2546507421.0000000001534000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2545952274.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2546643337.0000000001542000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2545952274.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2549166031.0000000004487000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2546377775.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2549219357.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://showip.net/
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2549219357.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://showip.net/?checkip=
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2546675744.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://unpkg.com/leaflet
Source: WebData.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: WebData.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2545950626.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2545950626.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2546339255.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2549168648.0000000003F20000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2548709971.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2546433872.000000000122D000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2545952274.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2545952274.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2549166031.0000000004487000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2546377775.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2546339255.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2546675744.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openstreetmap.org/copyright

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000009.00000002.1576094212.0000000003625000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

.NET source code contains very large array initializations

Source: Cotizaci#U00f3n____________________pdf.exe, Program.cs	Large array initialization: Program: array initializer size 2391
Source: Cotizaci#U00f3n____________________pdf.exe, Form2.cs	Large array initialization: : array initializer size 820496

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Cotizaci#U00f3n____________________pdf.exe

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_04F14D28	0_2_04F14D28
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_04F10D90	0_2_04F10D90
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_04F10D80	0_2_04F10D80
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_04F111C8	0_2_04F111C8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_04F111B8	0_2_04F111B8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_054F1564	0_2_054F1564
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_054F35C1	0_2_054F35C1
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_054F3608	0_2_054F3608
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_054F3618	0_2_054F3618
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B5768	0_2_075B5768
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B7210	0_2_075B7210
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B0040	0_2_075B0040
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B2090	0_2_075B2090
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B0B70	0_2_075B0B70
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B5BA8	0_2_075B5BA8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B5759	0_2_075B5759
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075BF550	0_2_075BF550
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B5570	0_2_075B5570
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B5560	0_2_075B5560
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B6590	0_2_075B6590
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B6581	0_2_075B6581
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B7201	0_2_075B7201
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B12D8	0_2_075B12D8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B12CA	0_2_075B12CA
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B52F8	0_2_075B52F8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B52E9	0_2_075B52E9
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B6148	0_2_075B6148
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075BF118	0_2_075BF118
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B6138	0_2_075B6138
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B001E	0_2_075B001E
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B50D8	0_2_075B50D8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B50C8	0_2_075B50C8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B8098	0_2_075B8098
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B2082	0_2_075B2082
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B80A8	0_2_075B80A8
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B3E98	0_2_075B3E98
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B3E89	0_2_075B3E89
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B5DF0	0_2_075B5DF0
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B5DE0	0_2_075B5DE0
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B3CA1	0_2_075B3CA1
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B0B49	0_2_075B0B49
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B1B0F	0_2_075B1B0F
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B1B20	0_2_075B1B20
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B5B99	0_2_075B5B99
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B6A50	0_2_075B6A50
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B4A48	0_2_075B4A48
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B6A41	0_2_075B6A41
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B4A3A	0_2_075B4A3A
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B7AC0	0_2_075B7AC0
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B7AB1	0_2_075B7AB1
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075BF988	0_2_075BF988
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 3_2_0040BEB7	3_2_0040BEB7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_03254D28	7_2_03254D28
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_032511B8	7_2_032511B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_032511C8	7_2_032511C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_03250D90	7_2_03250D90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D5768	7_2_076D5768
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D7210	7_2_076D7210
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D0040	7_2_076D0040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D2090	7_2_076D2090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D0B70	7_2_076D0B70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D5BA8	7_2_076D5BA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D5759	7_2_076D5759
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D5560	7_2_076D5560
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D5570	7_2_076D5570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076DF550	7_2_076DF550
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D6581	7_2_076D6581
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D6590	7_2_076D6590
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D7201	7_2_076D7201
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D52E9	7_2_076D52E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D52F8	7_2_076D52F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D12CA	7_2_076D12CA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D12D8	7_2_076D12D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D6148	7_2_076D6148
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D6138	7_2_076D6138
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076DF118	7_2_076DF118
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D001F	7_2_076D001F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D50C8	7_2_076D50C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D50D8	7_2_076D50D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D80A8	7_2_076D80A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D2082	7_2_076D2082
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D8098	7_2_076D8098
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D3E98	7_2_076D3E98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D3E95	7_2_076D3E95
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D5DE0	7_2_076D5DE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D5DF0	7_2_076D5DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D3CA1	7_2_076D3CA1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D0B49	7_2_076D0B49
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D1B20	7_2_076D1B20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D1B0F	7_2_076D1B0F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D5B99	7_2_076D5B99
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D4A48	7_2_076D4A48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D6A41	7_2_076D6A41
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D6A50	7_2_076D6A50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D4A3A	7_2_076D4A3A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D7AC0	7_2_076D7AC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D7AB1	7_2_076D7AB1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076DF979	7_2_076DF979
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076DF988	7_2_076DF988
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_04C635C1	9_2_04C635C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_04C61564	9_2_04C61564
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_04C63608	9_2_04C63608
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_04C63618	9_2_04C63618
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75768	9_2_06C75768
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C77210	9_2_06C77210
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C72090	9_2_06C72090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C70040	9_2_06C70040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75BA8	9_2_06C75BA8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C70B70	9_2_06C70B70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75763	9_2_06C75763
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C76581	9_2_06C76581
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C7658B	9_2_06C7658B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C76590	9_2_06C76590
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C7F550	9_2_06C7F550
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75560	9_2_06C75560
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C7556B	9_2_06C7556B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75570	9_2_06C75570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C712C9	9_2_06C712C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C712D8	9_2_06C712D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C752E9	9_2_06C752E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C752F8	9_2_06C752F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C77201	9_2_06C77201
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C7720B	9_2_06C7720B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C750C8	9_2_06C750C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C750D8	9_2_06C750D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C72080	9_2_06C72080
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C78098	9_2_06C78098
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C780A3	9_2_06C780A3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C780A8	9_2_06C780A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C7001D	9_2_06C7001D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C7003B	9_2_06C7003B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C76148	9_2_06C76148
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C7F118	9_2_06C7F118
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C76138	9_2_06C76138
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C73E89	9_2_06C73E89
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C73E98	9_2_06C73E98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C73CA1	9_2_06C73CA1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75DE0	9_2_06C75DE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75DEB	9_2_06C75DEB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75DF0	9_2_06C75DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C77AC0	9_2_06C77AC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C70AD0	9_2_06C70AD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C77ABB	9_2_06C77ABB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C76A41	9_2_06C76A41
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C74A48	9_2_06C74A48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C76A50	9_2_06C76A50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C74A39	9_2_06C74A39
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75B99	9_2_06C75B99
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C75BA3	9_2_06C75BA3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C71B0F	9_2_06C71B0F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C71B20	9_2_06C71B20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C7F988	9_2_06C7F988
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06DD4D28	9_2_06DD4D28
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06DD11C8	9_2_06DD11C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06DD0D90	9_2_06DD0D90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06DD0D80	9_2_06DD0D80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06DD11B8	9_2_06DD11B8

Source: Cotizaci#U00f3n____________________pdf.exe, 00000000.00000000.1296591351.0000000000C38000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelwJP.exe4 vs Cotizaci#U00f3n____________________pdf.exe
Source: Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefrolics.exe vs Cotizaci#U00f3n____________________pdf.exe
Source: Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1320598950.0000000004773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefrolics.exe vs Cotizaci#U00f3n____________________pdf.exe
Source: Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1320598950.0000000004773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Cotizaci#U00f3n____________________pdf.exe
Source: Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1325958410.0000000007440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Cotizaci#U00f3n____________________pdf.exe
Source: Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1318991716.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Cotizaci#U00f3n____________________pdf.exe
Source: Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1326742738.000000000B820000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Cotizaci#U00f3n____________________pdf.exe
Source: Cotizaci#U00f3n____________________pdf.exe	Binary or memory string: OriginalFilenamelwJP.exe4 vs Cotizaci#U00f3n____________________pdf.exe

Source: Cotizaci#U00f3n____________________pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.1576094212.0000000003625000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Cotizaci#U00f3n____________________pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: flaminical.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, XV9rIENvYWDitmwZM4.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, XV9rIENvYWDitmwZM4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, fLavnwsJQAJGZZE6eX.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, fLavnwsJQAJGZZE6eX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, fLavnwsJQAJGZZE6eX.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2543337062.0000000000437000.00000040.00000400.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2543341625.0000000000436000.00000040.00000400.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2543322963.0000000000437000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: `=@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp ^l
Source: Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000000.00000002.1320598950.0000000004773000.00000004.00000800.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2543337062.0000000000403000.00000040.00000400.00020000.00000000.sdmp, flaminical.exe, 00000009.00000002.1576094212.0000000004288000.00000004.00000800.00020000.00000000.sdmp, flaminical.exe, 00000009.00000002.1576094212.0000000003625000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -@pC*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: Cotizaci#U00f3n____________________pdf.exe	Binary or memory string: C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/5@1/1

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cotizaci#U00f3n____________________pdf.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Mutant created: NULL

Source: Cotizaci#U00f3n____________________pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Cotizaci#U00f3n____________________pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Cotizaci#U00f3n____________________pdf.exe	Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: LogfotheringXKGFwCrmvgZsFQeDdcQdJPTxKGYxDzkagfluently.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Cotizaci#U00f3n____________________pdf.exe	ReversingLabs: Detection: 65%
Source: Cotizaci#U00f3n____________________pdf.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

File read: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe"
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process created: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process created: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Cotizaci#U00f3n____________________pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Cotizaci#U00f3n____________________pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.7440000.6.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, fLavnwsJQAJGZZE6eX.cs	.Net Code: OQVTG0bgnw System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_054FE60E pushad ; retf	0_2_054FE615
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Code function: 0_2_075B036B push ecx; ret	0_2_075B036C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 7_2_076D036B push ecx; ret	7_2_076D036C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06C7036B push ecx; ret	9_2_06C7036C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Code function: 9_2_06DD33CF push es; iretd	9_2_06DD33DC

Source: Cotizaci#U00f3n____________________pdf.exe	Static PE information: section name: .text entropy: 7.90224334412411
Source: flaminical.exe.3.dr	Static PE information: section name: .text entropy: 7.90224334412411

Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, CMI0P869nnwZbAR2dOG.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kcLR7jVyOh', 'lPTRnYSpfn', 'KqjROUjYLb', 'R95RteECR0', 'fp2RvVU5ZU', 'rfsRfqiSxH', 'Me5RP5Tao8'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, nqhGCdKrAxHnCIr3Qs.cs	High entropy of concatenated method names: 'FK2ZrYesYq', 'WByZVrKUuT', 'UIcZm81D4x', 'c5DmMrE516', 'oSNmz1Iwyh', 'RBqZ9w9Bjj', 'jx2Z63xKVc', 'DN5ZqSxpGA', 'OZGZScLFCI', 'EULZT4UEtk'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, AV5U7by37ddfXZTXbL.cs	High entropy of concatenated method names: 'BfMiI4St9S', 'DvXiETJMEf', 'UDtiiSFuEb', 'OVeiou3vy8', 'bT1ikDxRjq', 'AiPi2Ni72d', 'Dispose', 'fuCDrB0rQN', 'udHD8NPMl1', 'gObDVToIU6'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, fLavnwsJQAJGZZE6eX.cs	High entropy of concatenated method names: 'xHMSLTQ2pT', 'n4kSrbHQS5', 'IInS8sU7qe', 'omcSVjmh39', 'AGiS5IRWtL', 'N7YSmfTHWs', 'fgsSZJ5m9b', 'eoVSsl8Fd5', 'xgCSaEQ7hx', 'uhYSY9LaKk'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, EuEvNDfSxguBdG9Ta1.cs	High entropy of concatenated method names: 'ToString', 'rV1e7KHY6N', 'sVxeWEU9AF', 'QWmeCksLI7', 'RF2ehR4aPx', 'GdCeupF7U9', 'dp8eX1NBhc', 'yUNeKBqHMg', 'p1ce3SqYtM', 'rUheUpUOnj'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, w86qbSqKFWXjsUw9Ef.cs	High entropy of concatenated method names: 'fbcGmWvIl', 't5YgcfV7r', 'jmsQMdknv', 'vDOJ3byhM', 'K6udc2vsy', 'l3f1CdGYH', 'YQjnbRjL9NsnsYTyqp', 'yVDGR1hBt5pG5wAVKq', 'nLrD5rSav', 'm5SRHXJW6'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, MZd0fJwexIvngsI055.cs	High entropy of concatenated method names: 'zGwE4SBbQo', 'jYOEMGRjQr', 'vG8D9KGvl7', 'c4yD6p7Ube', 'mQYE7AN9PF', 'tRREnbtWVK', 'qFwEOZJl0Q', 'fJaEtPmw7K', 'iXuEvOOMZQ', 'pFaEfgFAKM'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, FmFR7CM0v0shoHwLRS.cs	High entropy of concatenated method names: 'idtRVynn8T', 'LKvR5vrLvt', 'cZ5RmvUNZC', 'T71RZYenTT', 'oPnRiMud2U', 'GURRsdOQic', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, VjPGln1w0adboeDLOn.cs	High entropy of concatenated method names: 'HmG5Bx8RCC', 'SlN5JnkVcQ', 'KAaVC0Pd7g', 'LevVhTZXU8', 'UrqVuc15rZ', 'CyEVXZkoog', 'QbAVKJffmP', 'GUAV3KdxX0', 'WDlVUwtHjB', 'y6fV08qw6V'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, cqDJxN8ER1cvpRLSEr.cs	High entropy of concatenated method names: 'Dispose', 'Edf6HXZTXb', 'lHCqWt2krf', 'qULPtdVrRq', 'eNI6M7ULMf', 'NyO6z5vj21', 'ProcessDialogKey', 'Tsqq96ksS2', 'RoBq6gstSJ', 'nIvqq1mFR7'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, XV9rIENvYWDitmwZM4.cs	High entropy of concatenated method names: 'mlG8tet1ls', 'hnn8vZaIHi', 'P5t8fidSQy', 's0c8PZbduv', 'gyg8xMfPen', 'dqD8wqjvEC', 'Vvi8ydRCsX', 'uJ984OHR24', 'R6h8HRDfdf', 'wmQ8MpnSVt'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, pyiQTlzNIjSfeuFMsW.cs	High entropy of concatenated method names: 'v3qRQsrvj9', 'qsRRNOJ1fF', 'w5qRdid8Zk', 'LGmRFoUvyl', 'ab9RWq9eOj', 'qiJRhKA9kR', 'ToaRuiEajS', 'R9FR2XyNU4', 'W3uRbhKAsg', 'kiIRjkcF0i'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, WGqbsYOuck1mZU96qt.cs	High entropy of concatenated method names: 'TWOcNb9M0g', 'Fc5cdiG4Be', 'lLmcFT1CpK', 'pxpcWKHZ3e', 'mADchG5Wq7', 'NVhcuoxZqm', 'n32cKBLY4E', 'AlNc3vv2lb', 'BDfc0Opb9S', 'eBYc7SLdGn'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, AiERFWTx6L7RCBEO7M.cs	High entropy of concatenated method names: 'wDH6ZV9rIE', 'RYW6sDitmw', 'g9h6Yfigv7', 'Y3I6pNyjPG', 'pDL6IOnwCO', 'H9i6e1nN4k', 'MXgTvQ06gH5tKrV5Nr', 'sA7r9WiIQfbBVsttGe', 'C8m66VKU9v', 'hbO6SO81Ul'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, ILZgT8d9hfigv7M3IN.cs	High entropy of concatenated method names: 'gBZVgdFj34', 'zNRVQdQ1TT', 'mY9VNpmVA7', 'odjVdhotc8', 'UyZVIE2ZyO', 'vIQVeTqdTC', 'bgXVEkQamP', 'rNtVD3U33b', 'EEoViHhPWa', 'AsSVR2udsv'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, OdYfE36TaoNmXex0DlW.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tguli0H6mW', 'LumlRcd3jq', 'BWnloKOWTX', 'G1KllymDtu', 'W5plkUjYXp', 'sIylAKJCvW', 'uFMl2d2uVh'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, c6ksS2HvoBgstSJpIv.cs	High entropy of concatenated method names: 'FZviFJYs8C', 'ebriWdeATc', 'FfYiCUnqv2', 'kWOihdlRhp', 'EijiuFYrIs', 'wlXiXyrfg2', 'vQ9iKge0eh', 'ugAi3hwdDU', 'AsOiUhUunc', 'gaoi0iNaxb'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, mI30CJURL3EJDDpDtc.cs	High entropy of concatenated method names: 'OTGZbD8r0o', 'VuQZj0Hdui', 'BVpZGhmNPr', 'MkWZgXsU04', 'lXtZB20fc7', 'PTMZQq1dQb', 'OScZJv5LHA', 'AedZN1Er2d', 'eJjZdfsfgd', 'vbYZ1krwqj'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, F1dOpC66c8ivIExc85n.cs	High entropy of concatenated method names: 'lLjRMG5fSL', 'ixoRzKmIqZ', 'uQko9l0rKJ', 'yM3o69KMRR', 'hR4oq686sv', 'dF8oSVxQ75', 'gkHoTKpqJ0', 'n8UoLJMao6', 'U5yoryt6l7', 'z2xo8BxjRk'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, rVrmxItBEZXWrXADjW.cs	High entropy of concatenated method names: 'FYJI0RMCYg', 'A9mInke8WO', 'PfmItiJKVX', 'p7YIvZyVJg', 'Np2IW2gURG', 'AHvICo96a8', 'aamIhKbttt', 'enoIu53S1c', 'lA3IXLFc6R', 'noaIKVo1in'
Source: 0.2.Cotizaci#U00f3n____________________pdf.exe.b820000.7.raw.unpack, UCOW9iF1nN4kf8vjg3.cs	High entropy of concatenated method names: 'W6DmL2A7qa', 'nggm8HvGn4', 'CWVm515Ull', 'qPMmZjDfRO', 'aCpmsK0fUC', 'JNy5x4L3eP', 'IDJ5wXb3Q8', 'npL5yPU4R4', 'FiI540JWhR', 'xgf5HRhpQI'

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce firebrick	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce firebrick	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce firebrick	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce firebrick	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n____________________pdf.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flaminical.exe PID: 7636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flaminical.exe PID: 6156, type: MEMORYSTR

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory allocated: 4F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory allocated: 9400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory allocated: 7BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory allocated: A400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory allocated: B400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory allocated: B8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory allocated: C8D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 1A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 9240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 7820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: A240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: B240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: B840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: C840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 4620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 8040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 9040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: 9220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: A220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: AA00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: BA00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory allocated: CA00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe TID: 7840	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe TID: 180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2545950626.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2546433872.0000000001230000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2545952274.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: flaminical.exe, 00000008.00000002.2545224413.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHH#
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ctiveuserers.co.inVMware20,11696501413d
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413(
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: flaminical.exe, 00000008.00000002.2546433872.0000000001230000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e365.comVMware20,11696501413t
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Memory written: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Process created: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe "C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Queries volume information: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 9.2.flaminical.exe.42c1448.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.4288b18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a1ded8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.42e9b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4709990.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4709990.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.42c1448.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.4288b18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.42e9b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a1ded8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.48234a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1576094212.0000000004288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1576094212.0000000003625000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1320598950.0000000004773000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n____________________pdf.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flaminical.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flaminical.exe PID: 6156, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 9.2.flaminical.exe.42c1448.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.4288b18.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a1ded8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.42e9b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4709990.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4709990.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.42c1448.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.4288b18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.flaminical.exe.42e9b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a56808.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.4a1ded8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Cotizaci#U00f3n____________________pdf.exe.48234a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1576094212.0000000004288000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1576094212.0000000003625000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1320598950.0000000004773000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Cotizaci#U00f3n____________________pdf.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flaminical.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: flaminical.exe PID: 6156, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Cotizaci#U00f3n____________________pdf.exe	66%	ReversingLabs	Win32.Trojan.Leonem
Cotizaci#U00f3n____________________pdf.exe	71%	Virustotal		Browse
Cotizaci#U00f3n____________________pdf.exe	100%	Avira	HEUR/AGEN.1309861
Cotizaci#U00f3n____________________pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	100%	Avira	HEUR/AGEN.1309861
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe	66%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label
http://showip.net/jl	0%	Avira URL Cloud	safe
http://showip.net.	0%	Avira URL Cloud	safe
http://showip.net/z	0%	Avira URL Cloud	safe
http://showip.net/Pl	0%	Avira URL Cloud	safe
http://showip.net/6	0%	Avira URL Cloud	safe
http://showip.nete	0%	Avira URL Cloud	safe
http://showip.netth	0%	Avira URL Cloud	safe
http://showip.net/L	0%	Avira URL Cloud	safe
http://showip.netD	0%	Avira URL Cloud	safe
http://showip.net/	0%	Avira URL Cloud	safe
http://showip.netllZ	0%	Avira URL Cloud	safe
http://showip.net/_1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
showip.net	162.55.60.2	true	false		unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://showip.net/jl	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	WebData.3.dr	false		high
https://duckduckgo.com/ac/?q=	WebData.3.dr	false		high
https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2545950626.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2545950626.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2546339255.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2549168648.0000000003F20000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2546814897.000000000124E000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2546433872.000000000122A000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2548709971.0000000003F70000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2546433872.000000000122D000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2549166031.0000000004480000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2546507421.0000000001534000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2545952274.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2546643337.0000000001542000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2545952274.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2549166031.0000000004487000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2546377775.000000000151E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	WebData.3.dr	false		high
https://showip.net/	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2549219357.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.net/6	flaminical.exe, 0000000A.00000002.2545952274.00000000014FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://showip.netD	flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://unpkg.com/leaflet	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2546675744.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.nete	flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	WebData.3.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	WebData.3.dr	false		high
https://showip.net/?checkip=	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2549219357.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.net/z	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://showip.net.	flaminical.exe, 00000008.00000002.2545224413.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	WebData.3.dr	false		high
http://showip.net/	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2545224413.0000000001188000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2545224413.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2545224413.0000000001204000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2545952274.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2544624018.0000000001458000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://showip.net	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 00000008.00000002.2545224413.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.netth	flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	WebData.3.dr	false		high
http://schema.org	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2549219357.0000000003F28000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.net/L	flaminical.exe, 0000000A.00000002.2544624018.000000000149D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://showip.net/Pl	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2544650385.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	WebData.3.dr	false		high
https://www.openstreetmap.org/copyright	Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2546339255.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, Cotizaci#U00f3n____________________pdf.exe, 00000003.00000002.2546675744.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://showip.net/_1	flaminical.exe, 00000008.00000002.2545224413.0000000001188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.maxmind.com	flaminical.exe, 00000008.00000002.2546814897.000000000124E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	WebData.3.dr	false		high
http://showip.netllZ	flaminical.exe, 00000008.00000002.2545224413.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.55.60.2	showip.net	United States		35893	ACPCA	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1595172
Start date and time:	2025-01-20 14:53:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Cotizaci#U00f3n____________________pdf.exe renamed because original name is a hash value
Original Sample Name:	Cotizacin____________________pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/5@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 95% Number of executed functions: 496 Number of non-executed functions: 42
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Cotizaci#U00f3n____________________pdf.exe, PID 8004 because it is empty
Execution Graph export aborted for target flaminical.exe, PID 6844 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:54:23	API Interceptor	1x Sleep call for process: Cotizaci#U00f3n____________________pdf.exe modified
08:54:40	API Interceptor	2x Sleep call for process: flaminical.exe modified
14:54:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce firebrick C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe
14:54:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce firebrick C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.55.60.2	payment slip______________________pdf.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	PO.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	UToB1WBfv0.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	AGrsqxaSjd.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	yMvZXcwN2OdoP6x.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	oS6KsQIqJxe038Y.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	showip.net/
	Purchase Order AB013058.PDF.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	showip.net/
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	showip.net/
	8m65n7ieJC.exe	Get hash	malicious	DarkCloud	Browse	showip.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
showip.net	payment slip______________________pdf.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	PO.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	UToB1WBfv0.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	AGrsqxaSjd.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	yMvZXcwN2OdoP6x.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	oS6KsQIqJxe038Y.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2
	Purchase Order AB013058.PDF.exe	Get hash	malicious	DarkCloud, PureLog Stealer	Browse	162.55.60.2
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	8m65n7ieJC.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
s-part-0017.t-0009.t-msedge.net	Revised Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	13.107.246.45
	https://www.canva.com/link?target=https%3A%2F%2Fhlbc.uscourtfilevault.com%2FCGZu5&design=DAGcXth4-wU&accessRole=viewer&linkSource=document,	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://jantaexpress.com/UyRV4rC	Get hash	malicious	Unknown	Browse	13.107.246.45
	ICode[B8ERJ-E7LE4-BZSYK-CL15D].exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Guido.grentzmann-In Service Agreement.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	http://officepr0ject.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://goo.su/m4cvgAA	Get hash	malicious	Unknown	Browse	13.107.246.45
	FeFefxhz7o.exe	Get hash	malicious	RedLine, SectopRAT	Browse	13.107.246.45
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ACPCA	Personliche Nachricht fur UTF 8 Q Jaroslav Hren C3 A1k.pdf	Get hash	malicious	HTMLPhisher	Browse	162.55.236.224
	payment slip______________________pdf.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	https://cancelartransferenciaprogramadabdb.glitch.me/	Get hash	malicious	Unknown	Browse	162.55.133.151
	Handler.exe	Get hash	malicious	DanaBot, PureLog Stealer, Vidar	Browse	162.0.209.157
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	162.52.78.29
	DESCRIPTION.exe	Get hash	malicious	DarkCloud	Browse	162.55.60.2
	Scanned-IMGS_from NomanGroup IDT.scr.exe	Get hash	malicious	FormBook	Browse	162.0.215.244
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	162.0.209.157
	elitebotnet.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	162.0.4.79
	elitebotnet.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	162.49.96.105

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPE4KMRuAE4KzeRE4Kx1qE4qXKIE4oKNzKorE4x84j:MxHKlYHKh3oPHKMRuAHKzeRHKx1qHitP
MD5:	10BC6861BF0014A5AC0511B9194E68D4
SHA1:	8C02D5E85FB6E36F47C617690880976E78CC47B0
SHA-256:	4E3EC448C79C39651C285E068B1B98912494A01F9FF087530004AB06EEED051C
SHA-512:	088A5A2B7E2E16D47E0AE2451E62932FDE35F3BE1A44DBD15BE8455CD5B5577434634C8ABDF402B133B0210C94B6C7C327D85DFEED9883CC68FA09D780E7C713
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\flaminical.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPE4KMRuAE4KzeRE4Kx1qE4qXKIE4oKNzKorE4x84j:MxHKlYHKh3oPHKMRuAHKzeRHKx1qHitP
MD5:	10BC6861BF0014A5AC0511B9194E68D4
SHA1:	8C02D5E85FB6E36F47C617690880976E78CC47B0
SHA-256:	4E3EC448C79C39651C285E068B1B98912494A01F9FF087530004AB06EEED051C
SHA-512:	088A5A2B7E2E16D47E0AE2451E62932FDE35F3BE1A44DBD15BE8455CD5B5577434634C8ABDF402B133B0210C94B6C7C327D85DFEED9883CC68FA09D780E7C713
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogfotheringXKGFwCrmvgZsFQeDdcQdJPTxKGYxDzkagfluently

Download File

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

Download File

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1368932887859682
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/k4:MnlyfnGtxnfVuSVumEHFs4
MD5:	9A534FD57BED1D3E9815232E05CCF696
SHA1:	916474D7D073A4EB52A2EF8F7D9EF9549C0808A1
SHA-256:	7BB87D8BC8D49EECAB122B7F5BCD9E77F77B36C6DB173CB41E83A2CCA3AC391B
SHA-512:	ADE77FBBDE6882EF458A43F301AD84B12B42D82E222FC647A78E5709554754714DB886523A639C78D05BC221D608F0F99266D89165E78F76B21083002BE8AEFF
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Download File

Process:	C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	937984
Entropy (8bit):	7.896802396465828
Encrypted:	false
SSDEEP:	24576:KUXXe0phh5ilYc+ZQO7f8CfWFTHnDUnSBdo:ZXe0phh/c+aMf8G8HuR
MD5:	4089494500889C8E9A8B62F1B6F3CE9A
SHA1:	254D9517E2EE35689F17C97E4E8778B7554E2F4A
SHA-256:	799332983F0739446BD4E37DB4163529D016947426BDC4EE519DC2E5976445F7
SHA-512:	CBFF35886F3172E6DD775E96C12FC1F442013EAC0D7F509ADBE604BE21218032D3AAB7DB13E22B9FF343F1DC8711A13200F5BBDC981DCA553654532E6EB67BE1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.g.................F...........e... ........@.. ....................................@..................................d..W.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............N..............@..B.................d......H............a...........................................................0..A....... .........%.....(......... .........%.w...(.....x...(:........&....0..K........~....}.....~....}.....~....}.....#........}......}.....(.....(.........&.v.{.... .... ....(...+.....&...0..N..........E.......&..............~....}.....{.....{.... .... ....(...+..+......&*...0..........~......~x.........E#...........X.......i.......t...\|...................\|...Q.......f...n...............V

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.896802396465828
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Cotizaci#U00f3n____________________pdf.exe
File size:	937'984 bytes
MD5:	4089494500889c8e9a8b62f1b6f3ce9a
SHA1:	254d9517e2ee35689f17c97e4e8778b7554e2f4a
SHA256:	799332983f0739446bd4e37db4163529d016947426bdc4ee519dc2e5976445f7
SHA512:	cbff35886f3172e6dd775e96c12fc1f442013eac0d7f509adbe604be21218032d3aab7db13e22b9ff343f1dc8711a13200f5bbdc981dca553654532e6eb67be1
SSDEEP:	24576:KUXXe0phh5ilYc+ZQO7f8CfWFTHnDUnSBdo:ZXe0phh/c+aMf8G8HuR
TLSH:	1315125DFABABA60C34C0FB7C543911482A74A178A21F25B1DDDACE74D3AB95C10BB13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....h.g.................F...........e... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4e650e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x678A6892 [Fri Jan 17 14:26:26 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe64b4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe8000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe4514	0xe4600	ef10a18b15e241ec2c46932a0372c9e5	False	0.9378795070470717	SysEx File -	7.90224334412411	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe8000	0x600	0x600	bd8d941e8b1a45c8d73d8d32012edbdf	False	0.419921875	data	4.058625591714468	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	7f98598eb415c495079560961f9c4d06	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe8090	0x30c	data			0.4371794871794872
RT_MANIFEST	0xe83ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-20T14:54:28.010508+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49741	162.55.60.2	80	TCP
2025-01-20T14:54:45.555981+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49858	162.55.60.2	80	TCP
2025-01-20T14:54:52.683931+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49903	162.55.60.2	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2025 14:54:27.358098030 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:27.362931967 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:27.363030910 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:27.363284111 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:27.368032932 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010405064 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010420084 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010425091 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010436058 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010456085 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010466099 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010477066 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010487080 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010495901 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010505915 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.010508060 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:28.010546923 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:28.010548115 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:28.015436888 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.015449047 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.015459061 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.015532017 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:28.015532017 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:28.108800888 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.108830929 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.108844042 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.108858109 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.108872890 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.108886957 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:28.109093904 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:28.109206915 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.109226942 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.109241009 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.109251976 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.109253883 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:28.109263897 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:28.109288931 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:28.109357119 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:44.907723904 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:44.912486076 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:44.912667990 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:44.912956953 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:44.917696953 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.555881977 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.555927992 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.555963039 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.555980921 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.555980921 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.555998087 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.556013107 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.556035995 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.556075096 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.556076050 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.556111097 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.556145906 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.556162119 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.556162119 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.556180954 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.556216955 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.556263924 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.556263924 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.556263924 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.561099052 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.561156988 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.561212063 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.561280012 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.561305046 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.561361074 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.654756069 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.654799938 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.654839039 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.654877901 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.654918909 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.654918909 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.654918909 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.654966116 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.655002117 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.655040026 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.655070066 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.655077934 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.655077934 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.655077934 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.655333042 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.655447006 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.655481100 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.655514956 CET	80	49858	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:45.655729055 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:45.655729055 CET	49858	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.018383980 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.023519039 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.023606062 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.023921967 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.028829098 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.683809996 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.683881998 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.683897972 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.683913946 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.683929920 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.683931112 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.683945894 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.683959961 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.683959961 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.683962107 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.683978081 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.683986902 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.683995962 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.684000015 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.684010029 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.684019089 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.684032917 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.684151888 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.688971996 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.688992023 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.689003944 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.689105034 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.689105988 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.783668041 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.783682108 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.783693075 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.783704996 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.783716917 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.783730984 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.783766985 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.783816099 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.784146070 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.784183979 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.784199953 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.784256935 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.784257889 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:54:52.784267902 CET	80	49903	162.55.60.2	192.168.2.10
Jan 20, 2025 14:54:52.784435987 CET	49903	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:56:17.323007107 CET	49741	80	192.168.2.10	162.55.60.2
Jan 20, 2025 14:56:17.328253031 CET	80	49741	162.55.60.2	192.168.2.10
Jan 20, 2025 14:56:17.328373909 CET	49741	80	192.168.2.10	162.55.60.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 20, 2025 14:54:27.338884115 CET	58315	53	192.168.2.10	1.1.1.1
Jan 20, 2025 14:54:27.351986885 CET	53	58315	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 20, 2025 14:54:27.338884115 CET	192.168.2.10	1.1.1.1	0x3d68	Standard query (0)	showip.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 20, 2025 14:54:20.802726984 CET	1.1.1.1	192.168.2.10	0x6d31	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 20, 2025 14:54:20.802726984 CET	1.1.1.1	192.168.2.10	0x6d31	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 20, 2025 14:54:27.351986885 CET	1.1.1.1	192.168.2.10	0x3d68	No error (0)	showip.net		162.55.60.2	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

showip.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49741	162.55.60.2	80	8004	C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 20, 2025 14:54:27.363284111 CET	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Jan 20, 2025 14:54:28.010405064 CET	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Mon, 20 Jan 2025 13:54:27 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 36 32 66 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 62f5<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Jan 20, 2025 14:54:28.010420084 CET	224	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)ret
Jan 20, 2025 14:54:28.010425091 CET	1236	IN	Data Raw: 75 72 6e 20 61 3b 61 5b 62 5d 3d 63 2e 76 61 6c 75 65 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 65 61 28 61 29 7b 61 3d 5b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 26 Data Ascii: urn a;a[b]=c.value;return a}; function ea(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==M
Jan 20, 2025 14:54:28.010436058 CET	1236	IN	Data Raw: 67 74 68 3b 63 2b 2b 29 62 5b 63 2d 61 5d 3d 61 72 67 75 6d 65 6e 74 73 5b 63 5d 3b 72 65 74 75 72 6e 20 62 7d 0a 20 20 20 20 20 20 76 61 72 20 6e 61 3d 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 61 73 73 69 67 Data Ascii: gth;c++)b[c-a]=arguments[c];return b} var na="function"==typeof Object.assign?Object.assign:function(a,b){for(var c=1;c<arguments.length;c++){var d=arguments[c];if(d)for(var e in d)Object.prototype.hasOwnProperty.call(d,e)&&(a[e]=d[e])}r
Jan 20, 2025 14:54:28.010456085 CET	1236	IN	Data Raw: 20 30 2c 47 3d 46 3f 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 46 5d 7c 3d 62 7d 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 6f 69 64 20 30 21 3d 3d 61 2e 67 3f 61 2e 67 7c 3d 62 3a 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 Data Ascii: 0,G=F?function(a,b){a[F]\|=b}:function(a,b){void 0!==a.g?a.g\|=b:Object.defineProperties(a,{g:{value:b,configurable:!0,writable:!0,enumerable:!1}})};function va(a){var b=H(a);1!==(b&1)&&(Object.isFrozen(a)&&(a=Array.prototype.slice.call(a)),I(a
Jan 20, 2025 14:54:28.010466099 CET	1236	IN	Data Raw: 65 61 6b 20 61 7d 7d 62 26 26 28 67 3d 28 64 3e 3e 39 26 31 29 2d 31 2c 62 3d 4d 61 74 68 2e 6d 61 78 28 62 2c 65 2d 67 29 2c 31 30 32 34 3c 62 26 26 28 7a 61 28 63 2c 67 2c 7b 7d 29 2c 64 7c 3d 32 35 36 2c 62 3d 31 30 32 33 29 2c 64 3d 64 26 2d Data Ascii: eak a}}b&&(g=(d>>9&1)-1,b=Math.max(b,e-g),1024<b&&(za(c,g,{}),d\|=256,b=1023),d=d&-2095105\|(b&1023)<<11)}}I(a,d);return a} function za(a,b,c){for(var d=1023+b,e=a.length,f=d;f<e;f++){var g=a[f];null!=g&&g!==c&&(c[f-b]=g)}a.length=d+1;a[d]
Jan 20, 2025 14:54:28.010477066 CET	612	IN	Data Raw: 6c 69 63 65 2e 63 61 6c 6c 28 61 29 3b 76 61 72 20 64 3d 61 2e 6c 65 6e 67 74 68 2c 65 3d 62 26 32 35 36 3f 61 5b 64 2d 31 5d 3a 76 6f 69 64 20 30 3b 64 2b 3d 65 3f 2d 31 3a 30 3b 66 6f 72 28 62 3d 62 26 35 31 32 3f 31 3a 30 3b 62 3c 64 3b 62 2b Data Ascii: lice.call(a);var d=a.length,e=b&256?a[d-1]:void 0;d+=e?-1:0;for(b=b&512?1:0;b<d;b++)a[b]=c(a[b]);if(e){b=a[b]={};for(var f in e)Object.prototype.hasOwnProperty.call(e,f)&&(b[f]=c(e[f]))}return a}function Da(a,b,c,d,e,f){if(null!=a){if(Array.is
Jan 20, 2025 14:54:28.010487080 CET	1236	IN	Data Raw: 67 2c 61 29 3b 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 46 61 28 61 29 7b 72 65 74 75 72 6e 20 61 2e 73 3d 3d 3d 4d 3f 61 2e 74 6f 4a 53 4f 4e 28 29 3a 41 61 28 61 29 7d 3b 66 75 6e 63 74 69 6f 6e 20 47 61 28 61 2c 62 2c 63 29 7b 63 Data Ascii: g,a);return a}function Fa(a){return a.s===M?a.toJSON():Aa(a)};function Ga(a,b,c){c=void 0===c?K:c;if(null!=a){if(ta&&a instanceof Uint8Array)return b?a:new Uint8Array(a);if(Array.isArray(a)){var d=H(a);if(d&2)return a;if(b&&!(d&64)&&(d&32\|\|0==
Jan 20, 2025 14:54:28.010495901 CET	1236	IN	Data Raw: 20 63 3d 76 6f 69 64 20 30 3b 65 6c 73 65 20 63 3d 67 3b 63 21 3d 3d 67 26 26 6e 75 6c 6c 21 3d 63 26 26 4b 61 28 65 2c 66 2c 62 2c 63 2c 64 29 3b 65 3d 63 3b 69 66 28 6e 75 6c 6c 3d 3d 65 29 72 65 74 75 72 6e 20 65 3b 61 3d 61 2e 68 3b 66 3d 4a Data Ascii: c=void 0;else c=g;c!==g&&null!=c&&Ka(e,f,b,c,d);e=c;if(null==e)return e;a=a.h;f=J(a);f&2\|\|(g=e,c=g.h,h=J(c),g=h&2?Q(g.constructor,Ha(c,h,!1)):g,g!==e&&(e=g,Ka(a,f,b,e,d)));return e}function Na(a,b){a=Ia(a,b);return null==a\|\|"string"===typeof
Jan 20, 2025 14:54:28.010505915 CET	1236	IN	Data Raw: 63 61 5d 3d 61 3a 63 3d 21 30 29 3b 69 66 28 63 29 7b 66 6f 72 28 76 61 72 20 72 62 20 69 6e 20 65 29 7b 79 3d 65 3b 62 72 65 61 6b 20 61 7d 79 3d 6e 75 6c 6c 7d 7d 79 21 3d 68 26 26 28 43 61 3d 21 30 29 3b 64 2d 2d 7d 66 6f 72 28 3b 30 3c 64 3b Data Ascii: ca]=a:c=!0);if(c){for(var rb in e){y=e;break a}y=null}}y!=h&&(Ca=!0);d--}for(;0<d;d--){h=b[d-1];if(null!=h)break;var cb=!0}if(!Ca&&!cb)return b;var da;f?da=b:da=Array.prototype.slice.call(b,0,d);b=da;f&&(b.length=d);y&&b.push(y);return b};func
Jan 20, 2025 14:54:28.015436888 CET	1236	IN	Data Raw: 61 3b 72 65 74 75 72 6e 20 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 7d 3b 66 75 6e 63 74 69 6f 6e 20 5a 61 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 74 72 79 7b 76 61 72 20 67 3d 61 2e 67 2c 68 3d 59 61 28 67 29 Data Ascii: a;return a.createElement("script")};function Za(a,b,c,d,e,f){try{var g=a.g,h=Ya(g);h.async=!0;Xa(h,b);g.head.appendChild(h);h.addEventListener("load",function(){e();d&&g.head.removeChild(h)});h.addEventListener("error",function(){0<c?Za(a,b,c-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49858	162.55.60.2	80	6864	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Timestamp	Bytes transferred	Direction	Data
Jan 20, 2025 14:54:44.912956953 CET	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Jan 20, 2025 14:54:45.555881977 CET	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Mon, 20 Jan 2025 13:54:45 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Jan 20, 2025 14:54:45.555927992 CET	1236	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;
Jan 20, 2025 14:54:45.555963039 CET	448	IN	Data Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
Jan 20, 2025 14:54:45.555998087 CET	1236	IN	Data Raw: 64 2c 65 29 26 26 28 61 5b 65 5d 3d 64 5b 65 5d 29 7d 72 65 74 75 72 6e 20 61 7d 3b 68 61 28 22 4f 62 6a 65 63 74 2e 61 73 73 69 67 6e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7c 7c 6e 61 7d 29 3b 0a 0a 20 20 20 20 20 20 Data Ascii: d,e)&&(a[e]=d[e])}return a};ha("Object.assign",function(a){return a\|\|na}); var p=this\|\|self;function q(a){return a};var t,u;a:{for(var oa=["CLOSURE_FLAGS"],v=p,x=0;x<oa.length;x++)if(v=v[oa[x]],null==v){u=null;break a}u=v}var pa=u&&u[61
Jan 20, 2025 14:54:45.556035995 CET	1236	IN	Data Raw: 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 29 29 2c 49 28 61 2c 62 7c 31 29 29 7d 0a 20 20 20 20 20 20 76 61 72 20 48 3d 46 3f 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 5b 46 5d 7c 30 7d 3a 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 Data Ascii: .slice.call(a)),I(a,b\|1))} var H=F?function(a){return a[F]\|0}:function(a){return a.g\|0},J=F?function(a){return a[F]}:function(a){return a.g},I=F?function(a,b){a[F]=b}:function(a,b){void 0!==a.g?a.g=b:Object.defineProperties(a,{g:{value:b
Jan 20, 2025 14:54:45.556075096 CET	448	IN	Data Raw: 29 7d 61 2e 6c 65 6e 67 74 68 3d 64 2b 31 3b 61 5b 64 5d 3d 63 7d 3b 66 75 6e 63 74 69 6f 6e 20 41 61 28 61 29 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 Data Ascii: )}a.length=d+1;a[d]=c};function Aa(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "boolean":return a?1:0;case "object":if(a&&!Array.isArray(a)&&ta&&null!=a&&a instanceof Uint8Array){if(ua){for(var b="",c=0,d=a.length-102
Jan 20, 2025 14:54:45.556111097 CET	1236	IN	Data Raw: 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 36 37 38 39 22 2e 73 70 6c 69 74 28 22 22 29 3b 64 3d 5b 22 2b 2f 3d 22 2c 22 2b 2f 22 2c 22 2d 5f 3d 22 2c 22 2d 5f 2e 22 2c 22 2d 5f 22 5d 3b 66 6f 72 28 76 61 72 20 65 3d 0a 20 20 20 Data Ascii: mnopqrstuvwxyz0123456789".split("");d=["+/=","+/","-_=","-_.","-_"];for(var e= 0;5>e;e++){var f=c.concat(d[e].split(""));sa[e]=f;for(var g=0;g<f.length;g++){var h=f[g];void 0===E[h]&&(E[h]=g)}}}b=sa[b];c=Array(Math.floor(a.length/3));d=b
Jan 20, 2025 14:54:45.556145906 CET	1236	IN	Data Raw: 7d 3b 66 75 6e 63 74 69 6f 6e 20 47 61 28 61 2c 62 2c 63 29 7b 63 3d 76 6f 69 64 20 30 3d 3d 3d 63 3f 4b 3a 63 3b 69 66 28 6e 75 6c 6c 21 3d 61 29 7b 69 66 28 74 61 26 26 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 55 69 6e 74 38 41 72 72 61 79 29 72 Data Ascii: };function Ga(a,b,c){c=void 0===c?K:c;if(null!=a){if(ta&&a instanceof Uint8Array)return b?a:new Uint8Array(a);if(Array.isArray(a)){var d=H(a);if(d&2)return a;if(b&&!(d&64)&&(d&32\|\|0===d))return I(a,d\|34),a;a=Ea(a,Ga,d&4?K:c,!0,!1,!0);b=H(a);b&
Jan 20, 2025 14:54:45.556180954 CET	1236	IN	Data Raw: 3d 3d 65 29 72 65 74 75 72 6e 20 65 3b 61 3d 61 2e 68 3b 66 3d 4a 28 61 29 3b 66 26 32 7c 7c 28 67 3d 65 2c 63 3d 67 2e 68 2c 68 3d 4a 28 63 29 2c 67 3d 68 26 32 3f 51 28 67 2e 63 6f 6e 73 74 72 75 63 74 6f 72 2c 48 61 28 63 2c 68 2c 21 31 29 29 Data Ascii: ==e)return e;a=a.h;f=J(a);f&2\|\|(g=e,c=g.h,h=J(c),g=h&2?Q(g.constructor,Ha(c,h,!1)):g,g!==e&&(e=g,Ka(a,f,b,e,d)));return e}function Na(a,b){a=Ia(a,b);return null==a\|\|"string"===typeof a?a:void 0} function Oa(a,b){a=Ia(a,b);return null!=a?
Jan 20, 2025 14:54:45.556216955 CET	1236	IN	Data Raw: 26 28 43 61 3d 21 30 29 3b 64 2d 2d 7d 66 6f 72 28 3b 30 3c 64 3b 64 2d 2d 29 7b 68 3d 62 5b 64 2d 31 5d 3b 69 66 28 6e 75 6c 6c 21 3d 68 29 62 72 65 61 6b 3b 76 61 72 20 63 62 3d 21 30 7d 69 66 28 21 43 61 26 26 21 63 62 29 72 65 74 75 72 6e 20 Data Ascii: &(Ca=!0);d--}for(;0<d;d--){h=b[d-1];if(null!=h)break;var cb=!0}if(!Ca&&!cb)return b;var da;f?da=b:da=Array.prototype.slice.call(b,0,d);b=da;f&&(b.length=d);y&&b.push(y);return b};function Qa(a){return function(b){if(null==b\|\|""==b)b=new a;else
Jan 20, 2025 14:54:45.561099052 CET	1236	IN	Data Raw: 7b 74 72 79 7b 76 61 72 20 67 3d 61 2e 67 2c 68 3d 59 61 28 67 29 3b 68 2e 61 73 79 6e 63 3d 21 30 3b 58 61 28 68 2c 62 29 3b 67 2e 68 65 61 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 68 29 3b 68 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 Data Ascii: {try{var g=a.g,h=Ya(g);h.async=!0;Xa(h,b);g.head.appendChild(h);h.addEventListener("load",function(){e();d&&g.head.removeChild(h)});h.addEventListener("error",function(){0<c?Za(a,b,c-1,d,e,f):(d&&g.head.removeChild(h),f())})}catch(k){f()}};var

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49903	162.55.60.2	80	6844	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Timestamp	Bytes transferred	Direction	Data
Jan 20, 2025 14:54:52.023921967 CET	58	OUT	GET / HTTP/1.1 User-Agent: Project1 Host: showip.net
Jan 20, 2025 14:54:52.683809996 CET	1236	IN	HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: * Access-Control-Allow-Origin: * Content-Type: text/html;charset=utf-8 Date: Mon, 20 Jan 2025 13:54:52 GMT Server: Caddy Transfer-Encoding: chunked Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED] Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
Jan 20, 2025 14:54:52.683881998 CET	1236	IN	Data Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;
Jan 20, 2025 14:54:52.683897972 CET	1236	IN	Data Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
Jan 20, 2025 14:54:52.683913946 CET	388	IN	Data Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20 Data Ascii: ge"))\|\|(C()?A("Microsoft Edge"):B("Edg/"))\|\|C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
Jan 20, 2025 14:54:52.683929920 CET	1236	IN	Data Raw: 61 72 20 62 3d 48 28 61 29 3b 31 21 3d 3d 28 62 26 31 29 26 26 28 4f 62 6a 65 63 74 2e 69 73 46 72 6f 7a 65 6e 28 61 29 26 26 28 61 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 29 29 2c 49 28 61 2c 62 7c Data Ascii: ar b=H(a);1!==(b&1)&&(Object.isFrozen(a)&&(a=Array.prototype.slice.call(a)),I(a,b\|1))} var H=F?function(a){return a[F]\|0}:function(a){return a.g\|0},J=F?function(a){return a[F]}:function(a){return a.g},I=F?function(a,b){a[F]=b}:function(a
Jan 20, 2025 14:54:52.683945894 CET	1236	IN	Data Raw: 65 3d 61 2e 6c 65 6e 67 74 68 2c 66 3d 64 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 61 5b 66 5d 3b 6e 75 6c 6c 21 3d 67 26 26 67 21 3d 3d 63 26 26 28 63 5b 66 2d 62 5d 3d 67 29 7d 61 2e 6c 65 6e 67 74 68 3d 64 2b 31 3b 61 5b 64 5d 3d 63 7d Data Ascii: e=a.length,f=d;f<e;f++){var g=a[f];null!=g&&g!==c&&(c[f-b]=g)}a.length=d+1;a[d]=c};function Aa(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "boolean":return a?1:0;case "object":if(a&&!Array.isArray(a)&&ta&&null!=a&&a i
Jan 20, 2025 14:54:52.683962107 CET	1236	IN	Data Raw: 28 65 2c 66 29 26 26 28 62 5b 66 5d 3d 63 28 65 5b 66 5d 29 29 7d 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 44 61 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 69 66 28 6e 75 6c 6c 21 3d 61 29 7b 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 Data Ascii: (e,f)&&(b[f]=c(e[f]))}return a}function Da(a,b,c,d,e,f){if(null!=a){if(Array.isArray(a))a=e&&0==a.length&&H(a)&1?void 0:f&&H(a)&2?a:Ea(a,b,c,void 0!==d,e,f);else if(N(a)){var g={},h;for(h in a)Object.prototype.hasOwnProperty.call(a,h)&&(g[h]=D
Jan 20, 2025 14:54:52.683978081 CET	1236	IN	Data Raw: 66 28 63 3e 3d 66 7c 7c 65 29 7b 65 3d 62 3b 69 66 28 62 26 32 35 36 29 66 3d 61 5b 61 2e 6c 65 6e 67 74 68 2d 31 5d 3b 65 6c 73 65 7b 69 66 28 6e 75 6c 6c 3d 3d 64 29 72 65 74 75 72 6e 3b 66 3d 61 5b 66 2b 28 28 62 3e 3e 39 26 31 29 2d 31 29 5d Data Ascii: f(c>=f\|\|e){e=b;if(b&256)f=a[a.length-1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e\|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)} function La(a,b){var c
Jan 20, 2025 14:54:52.683995962 CET	896	IN	Data Raw: 72 65 61 6b 7d 66 3d 21 30 7d 65 3d 62 3b 63 3d 21 63 3b 67 3d 4a 28 61 2e 68 29 3b 61 3d 4c 28 67 29 3b 67 3d 28 67 3e 3e 39 26 31 29 2d 31 3b 66 6f 72 28 76 61 72 20 68 2c 6b 2c 77 3d 30 3b 77 3c 64 2e 6c 65 6e 67 74 68 3b 77 2b 2b 29 69 66 28 Data Ascii: reak}f=!0}e=b;c=!c;g=J(a.h);a=L(g);g=(g>>9&1)-1;for(var h,k,w=0;w<d.length;w++)if(k=d[w],k<a){k+=g;var r=e[k];null==r?e[k]=c?O:wa():c&&r!==O&&va(r)}else h\|\|(r=void 0,e.length&&N(r=e[e.length-1])?h=r:e.push(h={})),r=h[k],null==h[k]?h[k]=c?O:wa(
Jan 20, 2025 14:54:52.684010029 CET	1236	IN	Data Raw: 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 74 72 69 6e 67 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 67 2b 22 22 7d 3b 76 61 72 20 54 61 3d 7b 7d 3b 66 75 6e Data Ascii: tion V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648Math.random()).toString(36)+Math.abs(Math.floor(2147483648Math.random())^Date.now()).toString(36)};function Va(a,b){b=St
Jan 20, 2025 14:54:52.688971996 CET	1236	IN	Data Raw: 70 62 6d 63 67 64 47 68 70 63 79 42 74 5a 58 4e 7a 59 57 64 6c 49 47 4a 6c 59 32 46 31 63 32 55 67 59 57 51 67 62 33 49 67 63 32 4e 79 61 58 42 30 49 47 4a 73 62 32 4e 72 61 57 35 6e 49 48 4e 76 5a 6e 52 33 59 58 4a 6c 49 47 6c 7a 49 47 6c 75 64 Data Ascii: pbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg=="),bb=p.atob("RGlzYWJsZSBhbnkgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlLCB0aGVuIHJlbG9hZCB0aGlzIHBhZ2Uu");function db(a,b,c){th

Target ID:	0
Start time:	08:54:22
Start date:	20/01/2025
Path:	C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe"
Imagebase:	0xb50000
File size:	937'984 bytes
MD5 hash:	4089494500889C8E9A8B62F1B6F3CE9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1320598950.0000000004709000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.1320598950.0000000004773000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:54:24
Start date:	20/01/2025
Path:	C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Cotizaci#U00f3n____________________pdf.exe"
Imagebase:	0x960000
File size:	937'984 bytes
MD5 hash:	4089494500889C8E9A8B62F1B6F3CE9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	08:54:40
Start date:	20/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"
Imagebase:	0xfc0000
File size:	937'984 bytes
MD5 hash:	4089494500889C8E9A8B62F1B6F3CE9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:54:41
Start date:	20/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"
Imagebase:	0xab0000
File size:	937'984 bytes
MD5 hash:	4089494500889C8E9A8B62F1B6F3CE9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:54:48
Start date:	20/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"
Imagebase:	0x210000
File size:	937'984 bytes
MD5 hash:	4089494500889C8E9A8B62F1B6F3CE9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000009.00000002.1576094212.0000000004288000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000009.00000002.1576094212.0000000003625000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000009.00000002.1576094212.0000000003625000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:54:49
Start date:	20/01/2025
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe"
Imagebase:	0xe80000
File size:	937'984 bytes
MD5 hash:	4089494500889C8E9A8B62F1B6F3CE9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Cotizaci#U00f3n____________________pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkCloud

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cotizaci#U00f3n____________________pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\flaminical.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogfotheringXKGFwCrmvgZsFQeDdcQdJPTxKGYxDzkagfluently

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flaminical.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Cotizaci#U00f3n____________________pdf.exe