Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
chitanta de plata 002093940409505050960000.exe

Overview

General Information

Sample name:chitanta de plata 002093940409505050960000.exe
Analysis ID:1618698
MD5:dfc4049de3311d05b6027601575b7b11
SHA1:67cc8c411bed9e48ce37f5f3eb18da0e45563439
SHA256:5a4e470b3209d805f2c4f0707795907a5e5d2964d1ec35b9b42eb8e6d5dc9f82
Tags:Agentteslaexeuser-Bastian455_
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1663775995.0000000003871000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.1663775995.0000000003871000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.4129150956.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.4127545728.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000002.4127545728.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33afd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33b6f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33bf9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33c8b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33cf5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33d67:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33dfd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33e8d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x30e3d:$s2: GetPrivateProfileString
                • 0x30540:$s3: get_OSFullName
                • 0x31c11:$s5: remove_Key
                • 0x31dd9:$s5: remove_Key
                • 0x32d01:$s6: FtpWebRequest
                • 0x33adf:$s7: logins
                • 0x34051:$s7: logins
                • 0x36d62:$s7: logins
                • 0x36e14:$s7: logins
                • 0x38766:$s7: logins
                • 0x379ae:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: chitanta de plata 002093940409505050960000.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://concaribe.comAvira URL Cloud: Label: malware
                  Source: http://ftp.concaribe.comAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
                  Multi AV Scanner detection for submitted file
                  Source: chitanta de plata 002093940409505050960000.exeVirustotal: Detection: 62%Perma Link
                  Source: chitanta de plata 002093940409505050960000.exeReversingLabs: Detection: 75%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: chitanta de plata 002093940409505050960000.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: chitanta de plata 002093940409505050960000.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663634957.0000000002570000.00000004.08000000.00040000.00000000.sdmp, chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663708233.0000000002691000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb_JyJ kJ_CorDllMainmscoree.dll source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663634957.0000000002570000.00000004.08000000.00040000.00000000.sdmp, chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663708233.0000000002691000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Nova\source\repos\NailSalon\NailSalon\obj\Debug\NailSalon.pdb source: chitanta de plata 002093940409505050960000.exe
                  Source: Joe Sandbox ViewIP Address: 192.185.13.234 192.185.13.234
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.concaribe.com
                  Source: chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4129150956.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://concaribe.com
                  Source: chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4129150956.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.concaribe.com
                  Source: chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4129150956.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663775995.0000000003871000.00000004.00000800.00020000.00000000.sdmp, chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4127545728.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663775995.0000000003871000.00000004.00000800.00020000.00000000.sdmp, chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4127545728.0000000000402000.00000040.00000400.00020000.00000000.sdmp, chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4129150956.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4129150956.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4129150956.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, cPKWk.cs.Net Code: ojpIFBdoe

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 0_2_00BF45980_2_00BF4598
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_029DE7601_2_029DE760
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_029DAAAB1_2_029DAAAB
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_029D4A581_2_029D4A58
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_029D3E401_2_029D3E40
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_029D41881_2_029D4188
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_0669A8B41_2_0669A8B4
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_0669A5981_2_0669A598
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_0669BDF01_2_0669BDF0
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_0669DBF01_2_0669DBF0
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B66C01_2_066B66C0
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B56A01_2_066B56A0
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066BC2401_2_066BC240
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066BB2F01_2_066BB2F0
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B31581_2_066B3158
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B7E401_2_066B7E40
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B77601_2_066B7760
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066BE4681_2_066BE468
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B23701_2_066B2370
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B00401_2_066B0040
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B5DB71_2_066B5DB7
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B00381_2_066B0038
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_066B00071_2_066B0007
                  Source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663708233.0000000002691000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePiver.dllH vs chitanta de plata 002093940409505050960000.exe
                  Source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663708233.0000000002691000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs chitanta de plata 002093940409505050960000.exe
                  Source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663141284.00000000008BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs chitanta de plata 002093940409505050960000.exe
                  Source: chitanta de plata 002093940409505050960000.exe, 00000000.00000000.1659742702.0000000000272000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNailSalon.exe4 vs chitanta de plata 002093940409505050960000.exe
                  Source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663634957.000000000257C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePiver.dllH vs chitanta de plata 002093940409505050960000.exe
                  Source: chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4127668482.0000000000938000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs chitanta de plata 002093940409505050960000.exe
                  Source: chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4127545728.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs chitanta de plata 002093940409505050960000.exe
                  Source: chitanta de plata 002093940409505050960000.exeBinary or memory string: OriginalFilenameNailSalon.exe4 vs chitanta de plata 002093940409505050960000.exe
                  Source: chitanta de plata 002093940409505050960000.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: chitanta de plata 002093940409505050960000.exe, LightenSystem.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\chitanta de plata 002093940409505050960000.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeMutant created: NULL
                  Source: chitanta de plata 002093940409505050960000.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: chitanta de plata 002093940409505050960000.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: chitanta de plata 002093940409505050960000.exeVirustotal: Detection: 62%
                  Source: chitanta de plata 002093940409505050960000.exeReversingLabs: Detection: 75%
                  Source: unknownProcess created: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe "C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe"
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess created: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe "C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe"
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess created: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe "C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: chitanta de plata 002093940409505050960000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: chitanta de plata 002093940409505050960000.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: chitanta de plata 002093940409505050960000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663634957.0000000002570000.00000004.08000000.00040000.00000000.sdmp, chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663708233.0000000002691000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb_JyJ kJ_CorDllMainmscoree.dll source: chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663634957.0000000002570000.00000004.08000000.00040000.00000000.sdmp, chitanta de plata 002093940409505050960000.exe, 00000000.00000002.1663708233.0000000002691000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Nova\source\repos\NailSalon\NailSalon\obj\Debug\NailSalon.pdb source: chitanta de plata 002093940409505050960000.exe
                  Source: chitanta de plata 002093940409505050960000.exeStatic PE information: 0xC11EB946 [Fri Sep 2 04:29:58 2072 UTC]
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_029D0C55 push edi; retf 1_2_029D0C7A
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_0669FEF3 push es; ret 1_2_0669FEF4
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeCode function: 1_2_06693FB7 push 240679DAh; retf 1_2_06693FD5
                  Source: chitanta de plata 002093940409505050960000.exeStatic PE information: section name: .text entropy: 7.808475813697908
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeMemory allocated: BF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeMemory allocated: 23F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599657Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599407Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599297Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598688Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597469Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597217Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596848Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594492Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594375Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594266Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594141Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594032Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeWindow / User API: threadDelayed 8279Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeWindow / User API: threadDelayed 1551Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 1544Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 2992Thread sleep count: 8279 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -599875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 2992Thread sleep count: 1551 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -599766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -599657s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -599532s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -599407s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -599297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -599188s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -599063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -598938s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -598813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -598688s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -598469s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -598344s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -598235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -598110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -597985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -597860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -597735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -597594s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -597469s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -597359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -597217s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -597110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -596985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -596848s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -596719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -596610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -596485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -596360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -596235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -596110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -595985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -595860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -595735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -595610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -595485s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -595360s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -595235s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -595110s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -594985s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -594860s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -594735s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -594610s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -594492s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -594375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -594266s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -594141s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe TID: 3340Thread sleep time: -594032s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599657Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599532Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599407Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599297Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599188Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 599063Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598813Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598688Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598235Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 598110Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597985Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597860Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597735Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597469Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597217Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 597110Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596985Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596848Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596610Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596360Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596235Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 596110Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595985Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595860Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595735Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595610Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595485Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595360Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595235Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 595110Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594985Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594860Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594735Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594610Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594492Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594375Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594266Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594141Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeThread delayed: delay time: 594032Jump to behavior
                  Source: chitanta de plata 002093940409505050960000.exe, 00000001.00000002.4127829542.0000000000BE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.26ef8b0.1.raw.unpack, Nive.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.26ef8b0.1.raw.unpack, Nive.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                  Source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, Ljq6xD21ACX.csReference to suspicious API methods: OZkujShDCVG.OpenProcess(aPNZ30.DuplicateHandle, bInheritHandle: true, (uint)snUp2.ProcessID)
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeMemory written: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeProcess created: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe "C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeQueries volume information: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeQueries volume information: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1663775995.0000000003871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4129150956.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4127545728.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4129150956.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1663775995.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: chitanta de plata 002093940409505050960000.exe PID: 4308, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: chitanta de plata 002093940409505050960000.exe PID: 5900, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\chitanta de plata 002093940409505050960000.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1663775995.0000000003871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4127545728.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4129150956.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1663775995.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: chitanta de plata 002093940409505050960000.exe PID: 4308, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: chitanta de plata 002093940409505050960000.exe PID: 5900, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 1.2.chitanta de plata 002093940409505050960000.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.chitanta de plata 002093940409505050960000.exe.3832688.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1663775995.0000000003871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4129150956.0000000002B1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4127545728.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4129150956.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1663775995.0000000003691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: chitanta de plata 002093940409505050960000.exe PID: 4308, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: chitanta de plata 002093940409505050960000.exe PID: 5900, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Software Packing                  		NTDS111
                  Security Software Discovery                  		Distributed Component Object Model1
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets1
                  Process Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials141
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.