Edit tour

Windows Analysis Report
FACTURAS PENDIENTES.exe

Overview

General Information

Sample name:	FACTURAS PENDIENTES.exe
Analysis ID:	1629266
MD5:	ce21d13c05134c7f3eaf6adcca9de628
SHA1:	11dba134b8dbf5f792ea618ee72601f9c50f91a9
SHA256:	22cd6167198a1ec170b1be60d7524e36d454b1a7183acaa99cdf328629e52425
Tags:	exeuser-TeamDreier
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FACTURAS PENDIENTES.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe" MD5: CE21D13C05134C7F3EAF6ADCCA9DE628)

powershell.exe (PID: 7324 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FACTURAS PENDIENTES.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe" MD5: CE21D13C05134C7F3EAF6ADCCA9DE628)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7811478868:AAFz8G54tjfmoXGXiHlkaDDwEoEtiu2Dae8/sendMessage?chat_id=5692813672", "Token": "7811478868:AAFz8G54tjfmoXGXiHlkaDDwEoEtiu2Dae8", "Chat_id": "5692813672", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148e8:$a1: get_encryptedPassword 0x14bd4:$a2: get_encryptedUsername 0x146f4:$a3: get_timePasswordChanged 0x147ef:$a4: get_passwordField 0x148fe:$a5: set_encryptedPassword 0x15f84:$a7: get_logins 0x15ee7:$a10: KeyLoggerEventArgs 0x15b52:$a11: KeyLoggerEventArgsEventHandler
0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198a8:$x1: $%SMTPDV$ 0x1828c:$x2: $#TheHashHere%& 0x19850:$x3: %FTPDV$ 0x1822c:$x4: $%TelegramDv$ 0x15b52:$x5: KeyLoggerEventArgs 0x15ee7:$x5: KeyLoggerEventArgs 0x19874:$m2: Clipboard Logs ID 0x19ab2:$m2: Screenshot Logs ID 0x19bc2:$m2: keystroke Logs ID 0x19e9c:$m3: SnakePW 0x19a8a:$m4: \SnakeKeylogger\
0000000B.00000002.3740949613.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ddf0:$a1: get_encryptedPassword 0x4e810:$a1: get_encryptedPassword 0x6f030:$a1: get_encryptedPassword 0x2e0dc:$a2: get_encryptedUsername 0x4eafc:$a2: get_encryptedUsername 0x6f31c:$a2: get_encryptedUsername 0x2dbfc:$a3: get_timePasswordChanged 0x4e61c:$a3: get_timePasswordChanged 0x6ee3c:$a3: get_timePasswordChanged 0x2dcf7:$a4: get_passwordField 0x4e717:$a4: get_passwordField 0x6ef37:$a4: get_passwordField 0x2de06:$a5: set_encryptedPassword 0x4e826:$a5: set_encryptedPassword 0x6f046:$a5: set_encryptedPassword 0x2f48c:$a7: get_logins 0x4feac:$a7: get_logins 0x706cc:$a7: get_logins 0x2f3ef:$a10: KeyLoggerEventArgs 0x4fe0f:$a10: KeyLoggerEventArgs 0x7062f:$a10: KeyLoggerEventArgs
00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x32db0:$x1: $%SMTPDV$ 0x537d0:$x1: $%SMTPDV$ 0x73ff0:$x1: $%SMTPDV$ 0x31794:$x2: $#TheHashHere%& 0x521b4:$x2: $#TheHashHere%& 0x729d4:$x2: $#TheHashHere%& 0x32d58:$x3: %FTPDV$ 0x53778:$x3: %FTPDV$ 0x73f98:$x3: %FTPDV$ 0x31734:$x4: $%TelegramDv$ 0x52154:$x4: $%TelegramDv$ 0x72974:$x4: $%TelegramDv$ 0x2f05a:$x5: KeyLoggerEventArgs 0x2f3ef:$x5: KeyLoggerEventArgs 0x4fa7a:$x5: KeyLoggerEventArgs 0x4fe0f:$x5: KeyLoggerEventArgs 0x7029a:$x5: KeyLoggerEventArgs 0x7062f:$x5: KeyLoggerEventArgs 0x32d7c:$m2: Clipboard Logs ID 0x32fba:$m2: Screenshot Logs ID 0x330ca:$m2: keystroke Logs ID
0000000B.00000002.3740949613.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x31314:$a1: get_encryptedPassword 0x315f6:$a2: get_encryptedUsername 0x3112a:$a3: get_timePasswordChanged 0x31225:$a4: get_passwordField 0x3132a:$a5: set_encryptedPassword 0x33802:$a7: get_logins 0x33765:$a10: KeyLoggerEventArgs 0x333d0:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x333d0:$x5: KeyLoggerEventArgs 0x33765:$x5: KeyLoggerEventArgs 0x33d3b:$x5: KeyLoggerEventArgs 0x3409c:$x5: KeyLoggerEventArgs 0x35993:$m2: Clipboard Logs ID 0x35a99:$m2: Screenshot Logs ID 0x35aef:$m2: keystroke Logs ID 0x35c24:$m3: SnakePW 0x35a85:$m4: \SnakeKeylogger\
Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x55ce9:$a1: get_encryptedPassword 0x55fcb:$a2: get_encryptedUsername 0x55aff:$a3: get_timePasswordChanged 0x55bfa:$a4: get_passwordField 0x55cff:$a5: set_encryptedPassword 0x581d7:$a7: get_logins 0x5813a:$a10: KeyLoggerEventArgs 0x57da5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x57da5:$x5: KeyLoggerEventArgs 0x5813a:$x5: KeyLoggerEventArgs 0x58710:$x5: KeyLoggerEventArgs 0x58a71:$x5: KeyLoggerEventArgs 0x5a368:$m2: Clipboard Logs ID 0x5a46e:$m2: Screenshot Logs ID 0x5a4c4:$m2: keystroke Logs ID 0x5a5f9:$m3: SnakePW 0x5a45a:$m4: \SnakeKeylogger\
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.FACTURAS PENDIENTES.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ce8:$a1: get_encryptedPassword 0x12fd4:$a2: get_encryptedUsername 0x12af4:$a3: get_timePasswordChanged 0x12bef:$a4: get_passwordField 0x12cfe:$a5: set_encryptedPassword 0x14384:$a7: get_logins 0x142e7:$a10: KeyLoggerEventArgs 0x13f52:$a11: KeyLoggerEventArgsEventHandler
11.2.FACTURAS PENDIENTES.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
11.2.FACTURAS PENDIENTES.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae8:$a1: get_encryptedPassword 0x14dd4:$a2: get_encryptedUsername 0x148f4:$a3: get_timePasswordChanged 0x149ef:$a4: get_passwordField 0x14afe:$a5: set_encryptedPassword 0x16184:$a7: get_logins 0x160e7:$a10: KeyLoggerEventArgs 0x15d52:$a11: KeyLoggerEventArgsEventHandler
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a65e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19890:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cc3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad02:$a5: \Kometa\User Data\Default\Login Data
11.2.FACTURAS PENDIENTES.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c45e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b690:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bac3:$a4: \Orbitum\User Data\Default\Login Data 0x1cb02:$a5: \Kometa\User Data\Default\Login Data
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138cf:$s1: UnHook 0x138d6:$s2: SetHook 0x138de:$s3: CallNextHook 0x138eb:$s4: _hook
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ca8:$x1: $%SMTPDV$ 0x1668c:$x2: $#TheHashHere%& 0x17c50:$x3: %FTPDV$ 0x1662c:$x4: $%TelegramDv$ 0x13f52:$x5: KeyLoggerEventArgs 0x142e7:$x5: KeyLoggerEventArgs 0x17c74:$m2: Clipboard Logs ID 0x17eb2:$m2: Screenshot Logs ID 0x17fc2:$m2: keystroke Logs ID 0x1829c:$m3: SnakePW 0x17e8a:$m4: \SnakeKeylogger\
11.2.FACTURAS PENDIENTES.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156cf:$s1: UnHook 0x156d6:$s2: SetHook 0x156de:$s3: CallNextHook 0x156eb:$s4: _hook
11.2.FACTURAS PENDIENTES.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19aa8:$x1: $%SMTPDV$ 0x1848c:$x2: $#TheHashHere%& 0x19a50:$x3: %FTPDV$ 0x1842c:$x4: $%TelegramDv$ 0x15d52:$x5: KeyLoggerEventArgs 0x160e7:$x5: KeyLoggerEventArgs 0x19a74:$m2: Clipboard Logs ID 0x19cb2:$m2: Screenshot Logs ID 0x19dc2:$m2: keystroke Logs ID 0x1a09c:$m3: SnakePW 0x19c8a:$m4: \SnakeKeylogger\
4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ce8:$a1: get_encryptedPassword 0x12fd4:$a2: get_encryptedUsername 0x12af4:$a3: get_timePasswordChanged 0x12bef:$a4: get_passwordField 0x12cfe:$a5: set_encryptedPassword 0x14384:$a7: get_logins 0x142e7:$a10: KeyLoggerEventArgs 0x13f52:$a11: KeyLoggerEventArgsEventHandler
4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a65e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19890:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cc3:$a4: \Orbitum\User Data\Default\Login Data 0x1ad02:$a5: \Kometa\User Data\Default\Login Data
4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x138cf:$s1: UnHook 0x138d6:$s2: SetHook 0x138de:$s3: CallNextHook 0x138eb:$s4: _hook
4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17ca8:$x1: $%SMTPDV$ 0x1668c:$x2: $#TheHashHere%& 0x17c50:$x3: %FTPDV$ 0x1662c:$x4: $%TelegramDv$ 0x13f52:$x5: KeyLoggerEventArgs 0x142e7:$x5: KeyLoggerEventArgs 0x17c74:$m2: Clipboard Logs ID 0x17eb2:$m2: Screenshot Logs ID 0x17fc2:$m2: keystroke Logs ID 0x1829c:$m3: SnakePW 0x17e8a:$m4: \SnakeKeylogger\
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae8:$a1: get_encryptedPassword 0x35308:$a1: get_encryptedPassword 0x14dd4:$a2: get_encryptedUsername 0x355f4:$a2: get_encryptedUsername 0x148f4:$a3: get_timePasswordChanged 0x35114:$a3: get_timePasswordChanged 0x149ef:$a4: get_passwordField 0x3520f:$a4: get_passwordField 0x14afe:$a5: set_encryptedPassword 0x3531e:$a5: set_encryptedPassword 0x16184:$a7: get_logins 0x369a4:$a7: get_logins 0x160e7:$a10: KeyLoggerEventArgs 0x36907:$a10: KeyLoggerEventArgs 0x15d52:$a11: KeyLoggerEventArgsEventHandler 0x36572:$a11: KeyLoggerEventArgsEventHandler
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c45e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc7e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b690:$a3: \Google\Chrome\User Data\Default\Login Data 0x3beb0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bac3:$a4: \Orbitum\User Data\Default\Login Data 0x3c2e3:$a4: \Orbitum\User Data\Default\Login Data 0x1cb02:$a5: \Kometa\User Data\Default\Login Data 0x3d322:$a5: \Kometa\User Data\Default\Login Data
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156cf:$s1: UnHook 0x35eef:$s1: UnHook 0x156d6:$s2: SetHook 0x35ef6:$s2: SetHook 0x156de:$s3: CallNextHook 0x35efe:$s3: CallNextHook 0x156eb:$s4: _hook 0x35f0b:$s4: _hook
4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19aa8:$x1: $%SMTPDV$ 0x3a2c8:$x1: $%SMTPDV$ 0x1848c:$x2: $#TheHashHere%& 0x38cac:$x2: $#TheHashHere%& 0x19a50:$x3: %FTPDV$ 0x3a270:$x3: %FTPDV$ 0x1842c:$x4: $%TelegramDv$ 0x38c4c:$x4: $%TelegramDv$ 0x15d52:$x5: KeyLoggerEventArgs 0x160e7:$x5: KeyLoggerEventArgs 0x36572:$x5: KeyLoggerEventArgs 0x36907:$x5: KeyLoggerEventArgs 0x19a74:$m2: Clipboard Logs ID 0x19cb2:$m2: Screenshot Logs ID 0x19dc2:$m2: keystroke Logs ID 0x3a294:$m2: Clipboard Logs ID 0x3a4d2:$m2: Screenshot Logs ID 0x3a5e2:$m2: keystroke Logs ID 0x1a09c:$m3: SnakePW 0x3a8bc:$m3: SnakePW 0x19c8a:$m4: \SnakeKeylogger\
4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ae8:$a1: get_encryptedPassword 0x35508:$a1: get_encryptedPassword 0x55d28:$a1: get_encryptedPassword 0x14dd4:$a2: get_encryptedUsername 0x357f4:$a2: get_encryptedUsername 0x56014:$a2: get_encryptedUsername 0x148f4:$a3: get_timePasswordChanged 0x35314:$a3: get_timePasswordChanged 0x55b34:$a3: get_timePasswordChanged 0x149ef:$a4: get_passwordField 0x3540f:$a4: get_passwordField 0x55c2f:$a4: get_passwordField 0x14afe:$a5: set_encryptedPassword 0x3551e:$a5: set_encryptedPassword 0x55d3e:$a5: set_encryptedPassword 0x16184:$a7: get_logins 0x36ba4:$a7: get_logins 0x573c4:$a7: get_logins 0x160e7:$a10: KeyLoggerEventArgs 0x36b07:$a10: KeyLoggerEventArgs 0x57327:$a10: KeyLoggerEventArgs
4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c45e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ce7e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d69e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b690:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c0b0:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c8d0:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bac3:$a4: \Orbitum\User Data\Default\Login Data 0x3c4e3:$a4: \Orbitum\User Data\Default\Login Data 0x5cd03:$a4: \Orbitum\User Data\Default\Login Data 0x1cb02:$a5: \Kometa\User Data\Default\Login Data 0x3d522:$a5: \Kometa\User Data\Default\Login Data 0x5dd42:$a5: \Kometa\User Data\Default\Login Data
4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x156cf:$s1: UnHook 0x360ef:$s1: UnHook 0x5690f:$s1: UnHook 0x156d6:$s2: SetHook 0x360f6:$s2: SetHook 0x56916:$s2: SetHook 0x156de:$s3: CallNextHook 0x360fe:$s3: CallNextHook 0x5691e:$s3: CallNextHook 0x156eb:$s4: _hook 0x3610b:$s4: _hook 0x5692b:$s4: _hook
4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19aa8:$x1: $%SMTPDV$ 0x3a4c8:$x1: $%SMTPDV$ 0x5ace8:$x1: $%SMTPDV$ 0x1848c:$x2: $#TheHashHere%& 0x38eac:$x2: $#TheHashHere%& 0x596cc:$x2: $#TheHashHere%& 0x19a50:$x3: %FTPDV$ 0x3a470:$x3: %FTPDV$ 0x5ac90:$x3: %FTPDV$ 0x1842c:$x4: $%TelegramDv$ 0x38e4c:$x4: $%TelegramDv$ 0x5966c:$x4: $%TelegramDv$ 0x15d52:$x5: KeyLoggerEventArgs 0x160e7:$x5: KeyLoggerEventArgs 0x36772:$x5: KeyLoggerEventArgs 0x36b07:$x5: KeyLoggerEventArgs 0x56f92:$x5: KeyLoggerEventArgs 0x57327:$x5: KeyLoggerEventArgs 0x19a74:$m2: Clipboard Logs ID 0x19cb2:$m2: Screenshot Logs ID 0x19dc2:$m2: keystroke Logs ID
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe", ParentImage: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe, ParentProcessId: 6176, ParentProcessName: FACTURAS PENDIENTES.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe", ProcessId: 7324, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe", ParentImage: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe, ParentProcessId: 6176, ParentProcessName: FACTURAS PENDIENTES.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe", ProcessId: 7324, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T15:35:47.019690+0100	2803305	3	Unknown Traffic	192.168.2.7	49706	104.21.112.1	443	TCP
2025-03-04T15:35:48.253284+0100	2803305	3	Unknown Traffic	192.168.2.7	49709	104.21.112.1	443	TCP
2025-03-04T15:35:51.248113+0100	2803305	3	Unknown Traffic	192.168.2.7	49733	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T15:35:45.476717+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49702	158.101.44.242	80	TCP
2025-03-04T15:35:46.460942+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49702	158.101.44.242	80	TCP
2025-03-04T15:35:47.664077+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49708	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FACTURAS PENDIENTES.exe

Avira: detected

Found malware configuration

Source: 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7811478868:AAFz8G54tjfmoXGXiHlkaDDwEoEtiu2Dae8/sendMessage?chat_id=5692813672", "Token": "7811478868:AAFz8G54tjfmoXGXiHlkaDDwEoEtiu2Dae8", "Chat_id": "5692813672", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: FACTURAS PENDIENTES.exe	Virustotal: Detection: 54%			Perma Link
Source: FACTURAS PENDIENTES.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack	String decryptor:
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack	String decryptor: 7811478868:AAFz8G54tjfmoXGXiHlkaDDwEoEtiu2Dae8
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack	String decryptor: 5692813672

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: FACTURAS PENDIENTES.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49704 version: TLS 1.0

Source: FACTURAS PENDIENTES.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ZiDJYa.pdbSHA256 source: FACTURAS PENDIENTES.exe
Source:	Binary string: ZiDJYa.pdb source: FACTURAS PENDIENTES.exe

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 0121F1F6h	11_2_0121F007
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 0121FB80h	11_2_0121F007
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_0121E528
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_0121EB5B
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_0121ED3C
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06998945h	11_2_06998608
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06996171h	11_2_06995EC8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_069936CE
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 069958C1h	11_2_06995618
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06996A21h	11_2_06996778
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06990741h	11_2_06990498
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06997751h	11_2_069974A8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06998001h	11_2_06997D58
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06990FF1h	11_2_06990D48
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06995D19h	11_2_06995A70
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_069933B8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	11_2_069933A8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06996E79h	11_2_06996BD0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 069965C9h	11_2_06996320
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06990B99h	11_2_069908F0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 069972FAh	11_2_06997050
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 069902E9h	11_2_06990040
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06995441h	11_2_06995198
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06998459h	11_2_069981B0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4x nop then jmp 06997BA9h	11_2_06997900

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49702 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49708 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49709 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49706 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49733 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49704 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E08000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: FACTURAS PENDIENTES.exe, 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3745532285.0000000006500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: FACTURAS PENDIENTES.exe, 00000004.00000002.1320114536.0000000002D85000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E08000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: FACTURAS PENDIENTES.exe, 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E69000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002E08000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002EB2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_02ACDE84	4_2_02ACDE84
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_05DCF2E5	4_2_05DCF2E5
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_05DCC5D0	4_2_05DCC5D0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_0715F448	4_2_0715F448
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_0719CDE8	4_2_0719CDE8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_0719E9A8	4_2_0719E9A8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_0719D658	4_2_0719D658
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_0719D220	4_2_0719D220
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_01216108	11_2_01216108
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121C190	11_2_0121C190
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121F007	11_2_0121F007
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121B328	11_2_0121B328
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121C470	11_2_0121C470
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_01216730	11_2_01216730
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121C752	11_2_0121C752
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_01219858	11_2_01219858
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121BBD2	11_2_0121BBD2
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121CA32	11_2_0121CA32
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_01214AD9	11_2_01214AD9
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121BEB0	11_2_0121BEB0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121E528	11_2_0121E528
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121E517	11_2_0121E517
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_01213572	11_2_01213572
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0121B4F2	11_2_0121B4F2
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699B6E8	11_2_0699B6E8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06998608	11_2_06998608
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699D670	11_2_0699D670
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699A408	11_2_0699A408
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699BD38	11_2_0699BD38
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699AA58	11_2_0699AA58
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699C388	11_2_0699C388
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06998BF2	11_2_06998BF2
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699B0A0	11_2_0699B0A0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699D028	11_2_0699D028
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069911A0	11_2_069911A0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699C9D8	11_2_0699C9D8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06995EB8	11_2_06995EB8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699B6D9	11_2_0699B6D9
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06995EC8	11_2_06995EC8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06995618	11_2_06995618
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699560A	11_2_0699560A
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699D663	11_2_0699D663
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06993730	11_2_06993730
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06996778	11_2_06996778
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699676A	11_2_0699676A
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06990498	11_2_06990498
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06997497	11_2_06997497
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06990488	11_2_06990488
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069974A8	11_2_069974A8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06994430	11_2_06994430
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069985FC	11_2_069985FC
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06990D39	11_2_06990D39
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699BD28	11_2_0699BD28
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06997D58	11_2_06997D58
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06990D48	11_2_06990D48
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06997D48	11_2_06997D48
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699AA48	11_2_0699AA48
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06995A70	11_2_06995A70
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06995A60	11_2_06995A60
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069933B8	11_2_069933B8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069933A8	11_2_069933A8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06996BD0	11_2_06996BD0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06996BC1	11_2_06996BC1
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699A3F8	11_2_0699A3F8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06996312	11_2_06996312
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06996320	11_2_06996320
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699C378	11_2_0699C378
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699B08F	11_2_0699B08F
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069908F0	11_2_069908F0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069978F0	11_2_069978F0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069908E0	11_2_069908E0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06992818	11_2_06992818
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699D018	11_2_0699D018
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06992807	11_2_06992807
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06990006	11_2_06990006
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06997050	11_2_06997050
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06990040	11_2_06990040
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06997040	11_2_06997040
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06995198	11_2_06995198
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06991191	11_2_06991191
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699518A	11_2_0699518A
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069981B0	11_2_069981B0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_069981A0	11_2_069981A0
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_0699C9C8	11_2_0699C9C8
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_06997900	11_2_06997900

Source: FACTURAS PENDIENTES.exe, 00000004.00000002.1320114536.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs FACTURAS PENDIENTES.exe
Source: FACTURAS PENDIENTES.exe, 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs FACTURAS PENDIENTES.exe
Source: FACTURAS PENDIENTES.exe, 00000004.00000000.1269971144.00000000007A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZiDJYa.exeZ vs FACTURAS PENDIENTES.exe
Source: FACTURAS PENDIENTES.exe, 00000004.00000002.1327783177.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs FACTURAS PENDIENTES.exe
Source: FACTURAS PENDIENTES.exe, 00000004.00000002.1319121776.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FACTURAS PENDIENTES.exe
Source: FACTURAS PENDIENTES.exe, 00000004.00000002.1329679036.00000000074E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs FACTURAS PENDIENTES.exe
Source: FACTURAS PENDIENTES.exe, 00000004.00000002.1320114536.0000000002D85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs FACTURAS PENDIENTES.exe
Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3736178006.0000000000D77000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FACTURAS PENDIENTES.exe
Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs FACTURAS PENDIENTES.exe
Source: FACTURAS PENDIENTES.exe	Binary or memory string: OriginalFilenameZiDJYa.exeZ vs FACTURAS PENDIENTES.exe

Source: FACTURAS PENDIENTES.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: FACTURAS PENDIENTES.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, -.cs	Base64 encoded string: 'ItkMFjZb6Pv+5ngwlu9liDlfm7/ff7mjDjpfr3b3V/6LUqCpx2jLmcrOuJnV/dHS'
Source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, -.cs	Base64 encoded string: 'ItkMFjZb6Pv+5ngwlu9liDlfm7/ff7mjDjpfr3b3V/6LUqCpx2jLmcrOuJnV/dHS'

Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, B1qUykbKVLW26IlZqa.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, B1qUykbKVLW26IlZqa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, B1qUykbKVLW26IlZqa.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, dhGIktuRA9tmmZ30ug.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, dhGIktuRA9tmmZ30ug.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@2/2

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FACTURAS PENDIENTES.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Mutant created: NULL

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_351yzufv.nkc.ps1

Jump to behavior

Source: FACTURAS PENDIENTES.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FACTURAS PENDIENTES.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002F82000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3744428333.0000000003D8F000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002F3C000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp, FACTURAS PENDIENTES.exe, 0000000B.00000002.3740949613.0000000002F8F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FACTURAS PENDIENTES.exe	Virustotal: Detection: 54%
Source: FACTURAS PENDIENTES.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe"
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe"
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process created: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process created: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: FACTURAS PENDIENTES.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FACTURAS PENDIENTES.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: FACTURAS PENDIENTES.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ZiDJYa.pdbSHA256 source: FACTURAS PENDIENTES.exe
Source:	Binary string: ZiDJYa.pdb source: FACTURAS PENDIENTES.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, B1qUykbKVLW26IlZqa.cs	.Net Code: VDgcEsGRWN System.Reflection.Assembly.Load(byte[])
Source: 4.2.FACTURAS PENDIENTES.exe.2f96fb8.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 4.2.FACTURAS PENDIENTES.exe.5da0000.3.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: FACTURAS PENDIENTES.exe

Static PE information: 0xF0B12B68 [Tue Dec 17 18:20:24 2097 UTC]

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_05DC9981 push eax; ret	4_2_05DC998D
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_05DC88F3 push eax; ret	4_2_05DC8919
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_071504A0 pushfd ; ret	4_2_071504A1
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 4_2_071503BE push ds; ret	4_2_071503BF
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Code function: 11_2_012124B9 push 8BFFFFFFh; retf	11_2_012124BF

Source: FACTURAS PENDIENTES.exe

Static PE information: section name: .text entropy: 7.737203806991402

Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, pnip7vcO5ASvatV4ej.cs	High entropy of concatenated method names: 'JUiW7hGIkt', 'TA9WbtmmZ3', 'EaBWHMpyKY', 'ncUW64jfbN', 'qW0WBif6CP', 'eYrWn2lJxn', 'B9vgqWu3QGUY7QMFYw', 'cGRPh1z2xlFVv7KC49', 'JPdWWQQMTZ', 'whXWiK7Arn'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, RpXBJaaaBMpyKYvcU4.cs	High entropy of concatenated method names: 'n49UMugMBE', 'SlHU10IMZx', 'yv6Uu0HtTf', 'pX6UaQeo31', 'RdYUBem80M', 'iM3UnarR26', 'yyEU5dF88o', 'lkLUYFDksS', 'wFZUABIFB9', 'fsPU3IlPO5'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, YxGXuXIK4i0wWKvs3b.cs	High entropy of concatenated method names: 'KImABA9MLi', 'JGhA5mSFMy', 'vH5AAfDpgd', 'TfsAlIrluY', 'rMdAdOJtEE', 'R4MAgatL0E', 'Dispose', 'kW2YKEjMf9', 'ihxY2XpmKb', 'b0YYUhdUDy'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, dvcOAoWiFCG8vbEpqqt.cs	High entropy of concatenated method names: 'GWyl9PS8Gh', 'lBClzPmoJT', 'ptAT4iAFLy', 'uf7oHPZDtf2SwqNBMWT', 'wPnN5jZc0JIFRUVQ8hH', 'l5Yh4uZeZENf5CddSU0', 'OC20qTZt69brxExTnxK', 'hULw7VZ1fkqGMZDZyn3'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, glNirwW4sjmOiKGsgG6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bP73hfrmce', 'p7t3wRswyE', 'lli3fuVyCE', 'hA53XNIMtu', 'JBX3DFaK0K', 'egG3mGDxl3', 'Aa03Rh9AAZ'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, YawANFfiKjfqm5in6V.cs	High entropy of concatenated method names: 'Xlfvuk2Av0', 'Cp6vaJKK8A', 'NIOv8Z8TZy', 'EA5vOO8q9g', 'B45vtExFbQ', 'GH5vCgrsIw', 'CP7vSWZAdU', 'ALyvpfYAX5', 'Qktvx8QOab', 'yI7vh9CIWZ'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, VRy2j4WcJQejrp2xW8V.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IZqTAQfqeg', 'twST3Q5ooe', 'W1nTlPKO6M', 'Aa7TTOacrJ', 'L1ETd3rsDv', 'EOlTF55KNg', 'npaTgMlMHU'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, vKjSUfRWPU74ne9VVI.cs	High entropy of concatenated method names: 'S845HubMj9', 'nNA56GxpYZ', 'ToString', 'ycM5KUUJ4G', 'RUP52BXbhU', 'wOP5UKeQPA', 'Six5oyKU4J', 'lDY5NPgWIJ', 'gYe57uZJwU', 'nXs5bqTdhs'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, cLq68fUbnY8FJbah4q.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'RHVLjLKvRx', 'fPmL9agXE0', 'sTlLzGcxph', 'vJ2i4IOaXj', 'RxUiWGI0RU', 'YrFiLNqu8B', 'MExiiLc5sr', 'C72yMloO4ydZsquvm9J'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, jyJUKEWWGUZya4Xuu9y.cs	High entropy of concatenated method names: 'Owj3965Y8l', 'mRY3zYrEGe', 'QTSl4uBXIp', 'seblWwxYeK', 'VHYlLgSOAo', 'MYtlihXqpE', 'bNGlca4uhB', 'wC4lqapRHV', 'VtnlKOt39x', 'CXPl2crf0e'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, g73BDaLRaWdxRfxZcC.cs	High entropy of concatenated method names: 'DQ4Ep0c4F', 'x1eM4iyZV', 'JWb1PTroy', 'nojGpy2cd', 'y9Yap0AdW', 'acIQ0FYcW', 'NXu4c5fe1jOqX1O0VC', 'NlkqAuUyjjpC965dte', 'MknYIF1U3', 'vEO3Q4LMK'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, B1qUykbKVLW26IlZqa.cs	High entropy of concatenated method names: 'j7Ziqe4mdr', 'juMiKNK8PG', 'weJi2xfZ7q', 'c2niUUJ8ic', 'DfLiou7lGi', 'GOBiNSVf9k', 'mBgi7tq0Se', 'yWmib8ZLMr', 'd3di0564Aw', 'hEsiH6qL9O'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, nCPqYr82lJxnW5Ouij.cs	High entropy of concatenated method names: 'qWONqmj2gp', 'GO8N2AnKq2', 'wwQNoYwqxd', 'RgnN7XfxYX', 'HLPNbD6FiS', 'k23oZFIPEs', 'kyYosZOxCJ', 'eLIoINLjye', 'iugoPfyAm6', 'l1woj61eNb'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, XfbNFuQnElTL95W0if.cs	High entropy of concatenated method names: 'bpkokryVs4', 'MHkoGfSOhw', 'ruEUJHVp0v', 'LuwUt2ueDV', 'yQNUC7BMZj', 'tM6UrNXCRM', 'Os4USWqFA2', 'u19UplPfVN', 'NGTUyt1AR0', 'qNFUxgdfSI'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, w9LLl4ymrO3fS2e0b3.cs	High entropy of concatenated method names: 'IHU7VVrBwM', 'z3O7eUAWJi', 'jXe7E7RsNX', 'eVO7MhEh3W', 'el07k89Tvk', 'NkB71b5kn0', 'Axg7GO1NU4', 'kCO7uEYvui', 'IJa7aExNbI', 'HKA7QWUYr5'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, gJtLTF9aFePBsePbdb.cs	High entropy of concatenated method names: 'tAo3UOE7pU', 'hRq3oeIkr8', 'HPy3NLw465', 'noD37Z4Z7N', 'FcR3AR3S2D', 'qQu3b2rOvp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, dhGIktuRA9tmmZ30ug.cs	High entropy of concatenated method names: 'Gla2XrDIZl', 'hQ32DBbihU', 'phM2mrkDLL', 'rNU2RWUjqK', 'FsT2Zx2QTv', 'MOG2sy0w64', 'sFo2IcV3sx', 'tTR2PHXv2v', 'mRc2jD6ohu', 'NUS29GgtpA'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, LKC7mD2CKKBPZrneGx.cs	High entropy of concatenated method names: 'Dispose', 'c0wWjWKvs3', 'YfsLOprlh1', 'tZS7U4bSAF', 'kB3W9bah1p', 'O90WzQRQ1v', 'ProcessDialogKey', 'trEL46xDRo', 'FhXLW9RQEG', 'yVMLLUJtLT'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, cqr7vctRPtbN2qXr3e.cs	High entropy of concatenated method names: 'FJpNgCq11e', 'zvBNVbSMfS', 'FdsNEZW6ra', 'jhYNM5F2oD', 'vnUN1QdcyT', 'jEtNGfu04D', 't7SNahi3QM', 'RVaNQXKcsR', 'uYH9Tk4R6lUod8BpTdB', 'I51Kpw4itQAum9KKJRC'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, z6xDRojQhX9RQEGVVM.cs	High entropy of concatenated method names: 'eHlA8ICNdy', 'X3YAOgHugQ', 'SYlAJwTvdG', 'BbmAt7dcZ9', 'CAaAC16Shs', 'F4EAryTCqw', 't1gASnRiFB', 'fb6AptsAJr', 'SnLAyRL5c9', 'YoGAxOe6qJ'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, L7a8F0Xnm58n9xNk9h.cs	High entropy of concatenated method names: 'g3eBxCbRwb', 'noGBwSnmKB', 'MWTBXQaaVx', 'iJsBDBE9ys', 'mZVBOJsMA6', 'zDaBJkFKxq', 'VYqBt2maR1', 'TFUBC7buft', 'j2MBr4DP3L', 'hyoBSsB5Wy'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, BB8qJesgPWhy1iwXTD.cs	High entropy of concatenated method names: 'W9q5PO1Tnr', 'uRf59Ol7eP', 'wQnY4hH2mu', 'DnOYWWnMMT', 'w125hntMUn', 'hoN5wVhsN6', 'feP5fiEtEV', 'TuV5XKC60R', 'BBX5DHXEhV', 'dwI5mjHUjy'
Source: 4.2.FACTURAS PENDIENTES.exe.74e0000.4.raw.unpack, eL1PUnzXUyVOOSQSUZ.cs	High entropy of concatenated method names: 'PCB31SyytB', 'Mg63uXpNYp', 'hON3abSUv7', 'umr38j5I0U', 'wuq3Od6rJB', 'q8b3trnuZH', 'HGm3CT0wrH', 'YCs3gYceso', 'W8r3VRf6J8', 'LJ23eMcSm4'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176, type: MEMORYSTR

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599666	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598356	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597699	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595121	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594841	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594707	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594230	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 593859	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 593750	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8086	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1524	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Window / User API: threadDelayed 2190	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Window / User API: threadDelayed 7643	Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 5296	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7556	Thread sleep count: 2190 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7556	Thread sleep count: 7643 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -599666s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -599016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -598356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -597699s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -595577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -595121s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -594841s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -594707s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -594344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -594230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -594078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -593969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -593859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe TID: 7552	Thread sleep time: -593750s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599666	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 599016	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598356	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597699	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595577	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 595121	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594841	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594707	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594344	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594230	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 594078	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 593969	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 593859	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Thread delayed: delay time: 593750	Jump to behavior

Source: FACTURAS PENDIENTES.exe, 0000000B.00000002.3736400763.0000000000E38000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe"
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

Memory written: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe"			Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Process created: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe "C:\Users\user\Desktop\FACTURAS PENDIENTES.exe"			Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3740949613.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3740949613.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS PENDIENTES.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.FACTURAS PENDIENTES.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d42d28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.FACTURAS PENDIENTES.exe.3d22308.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3735852536.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3740949613.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1325393907.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3740949613.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 6176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FACTURAS PENDIENTES.exe PID: 7332, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FACTURAS PENDIENTES.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
FACTURAS PENDIENTES.exe