Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z1Estadodecuentadelcliente.exe

Overview

General Information

Sample name:z1Estadodecuentadelcliente.exe
Analysis ID:1630366
MD5:ce06ffe31ff561f8c8036bd6d2320b80
SHA1:bc691326107a4cdd18dd000d56a30fb394f7da92
SHA256:ce274c08c15204a7168689d039f94e7c96a7e4a079b48cb2cbb10ec5bbf25ead
Tags:exeuser-Porcupine
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z1Estadodecuentadelcliente.exe (PID: 824 cmdline: "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe" MD5: CE06FFE31FF561F8C8036BD6D2320B80)
    • powershell.exe (PID: 5548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7236 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7916775626:AAEpKtCXhW8JVhlJ4gm9KnQGEsOrt7L3fNQ", "Telegram Chatid": "7838187567"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
      00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xf815:$a1: get_encryptedPassword
        • 0xfb3d:$a2: get_encryptedUsername
        • 0xf5a2:$a3: get_timePasswordChanged
        • 0xf6c3:$a4: get_passwordField
        • 0xf82b:$a5: set_encryptedPassword
        • 0x11189:$a7: get_logins
        • 0x10e3a:$a8: GetOutlookPasswords
        • 0x10c2c:$a9: StartKeylogger
        • 0x110d9:$a10: KeyLoggerEventArgs
        • 0x10c89:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
              0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xdc15:$a1: get_encryptedPassword
                • 0xdf3d:$a2: get_encryptedUsername
                • 0xd9a2:$a3: get_timePasswordChanged
                • 0xdac3:$a4: get_passwordField
                • 0xdc2b:$a5: set_encryptedPassword
                • 0xf589:$a7: get_logins
                • 0xf23a:$a8: GetOutlookPasswords
                • 0xf02c:$a9: StartKeylogger
                • 0xf4d9:$a10: KeyLoggerEventArgs
                • 0xf089:$a11: KeyLoggerEventArgsEventHandler
                0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x12d8d:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x1228b:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x12599:$a4: \Orbitum\User Data\Default\Login Data
                • 0x13391:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 18 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", ParentImage: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe, ParentProcessId: 824, ParentProcessName: z1Estadodecuentadelcliente.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", ProcessId: 5548, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", ParentImage: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe, ParentProcessId: 824, ParentProcessName: z1Estadodecuentadelcliente.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", ProcessId: 5548, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", ParentImage: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe, ParentProcessId: 824, ParentProcessName: z1Estadodecuentadelcliente.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe", ProcessId: 5548, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T20:01:12.738852+010028032742Potentially Bad Traffic192.168.2.449736158.101.44.24280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7916775626:AAEpKtCXhW8JVhlJ4gm9KnQGEsOrt7L3fNQ", "Telegram Chatid": "7838187567"}
                Multi AV Scanner detection for submitted file
                Source: z1Estadodecuentadelcliente.exeVirustotal: Detection: 22%Perma Link
                Source: z1Estadodecuentadelcliente.exeReversingLabs: Detection: 31%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: z1Estadodecuentadelcliente.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49737 version: TLS 1.0
                Source: z1Estadodecuentadelcliente.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 011F9731h6_2_011F9480
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 011F9E5Ah6_2_011F9A40
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 011F9E5Ah6_2_011F9A30
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 011F9E5Ah6_2_011F9D87
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 05335E15h6_2_05335AD8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 053347C9h6_2_05334520
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 05338830h6_2_05338588
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 053376D0h6_2_05337428
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 0533F700h6_2_0533F458
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 053376D0h6_2_05337428
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 0533E9F8h6_2_0533E750
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 05335929h6_2_05335680
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 053383D8h6_2_05338130
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 0533E5A0h6_2_0533E180
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 05337278h6_2_053371EA
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 0533F2A8h6_2_0533F000
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 053354D1h6_2_05335228
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 05335079h6_2_05334DD0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 05337F80h6_2_05337CD8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 05337278h6_2_05336FD0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 05334C21h6_2_05334978
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 0533FB58h6_2_0533F8B0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 05337B28h6_2_05337880
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 4x nop then jmp 0533EE50h6_2_0533EBA8
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 158.101.44.242:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49737 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, z1Estadodecuentadelcliente.exe, 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1698171992.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: z1Estadodecuentadelcliente.exeString found in binary or memory: http://tempuri.org/CRUDDataSet.xsd
                Source: z1Estadodecuentadelcliente.exeString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1698171992.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/CRUDDataSet1.xsd?0ZM
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1702736424.0000000007592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, z1Estadodecuentadelcliente.exe, 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2909959910.0000000000E36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, z1Estadodecuentadelcliente.exe, 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 3104, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_0133D9D40_2_0133D9D4
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_061006900_2_06100690
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_061006800_2_06100680
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_061567100_2_06156710
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_06158A4A0_2_06158A4A
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_075677F00_2_075677F0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_0756A6080_2_0756A608
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_0756E5180_2_0756E518
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_075643000_2_07564300
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_075642EF0_2_075642EF
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07566D100_2_07566D10
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07DDB7400_2_07DDB740
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07DD54200_2_07DD5420
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07DDB72A0_2_07DDB72A
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07DD06200_2_07DD0620
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07E039240_2_07E03924
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07E064D00_2_07E064D0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082CC0F10_2_082CC0F1
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082C51580_2_082C5158
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082C72220_2_082C7222
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082C72300_2_082C7230
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082C6D200_2_082C6D20
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082C6D0F0_2_082C6D0F
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082C55810_2_082C5581
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082C55900_2_082C5590
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082C76680_2_082C7668
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_082C96C00_2_082C96C0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_011FC5306_2_011FC530
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_011F94806_2_011F9480
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_011FC5216_2_011FC521
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_011F2DD16_2_011F2DD1
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_011F946F6_2_011F946F
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053361386_2_05336138
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053313A86_2_053313A8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533BC606_2_0533BC60
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533AF006_2_0533AF00
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053389E06_2_053389E0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05330AB86_2_05330AB8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05335AD86_2_05335AD8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053345206_2_05334520
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533450F6_2_0533450F
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053385796_2_05338579
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053385886_2_05338588
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053374286_2_05337428
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053374186_2_05337418
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533F4586_2_0533F458
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053374286_2_05337428
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533F4486_2_0533F448
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533E7506_2_0533E750
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533E7406_2_0533E740
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533566F6_2_0533566F
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053356806_2_05335680
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053361336_2_05336133
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053381306_2_05338130
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053381206_2_05338120
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533E1806_2_0533E180
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533F0006_2_0533F000
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053303306_2_05330330
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053303206_2_05330320
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053352286_2_05335228
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533521A6_2_0533521A
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05334DD06_2_05334DD0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05334DC06_2_05334DC0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05330CD86_2_05330CD8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05337CD86_2_05337CD8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05337CC86_2_05337CC8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533EFF06_2_0533EFF0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05336FD06_2_05336FD0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05336FC36_2_05336FC3
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05336FC16_2_05336FC1
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053349786_2_05334978
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053349696_2_05334969
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053389D06_2_053389D0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053378716_2_05337871
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533F8B06_2_0533F8B0
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533F8A16_2_0533F8A1
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_053378806_2_05337880
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533EBA86_2_0533EBA8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_0533EB986_2_0533EB98
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05335ACA6_2_05335ACA
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1705131119.0000000008020000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1698171992.0000000003062000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1704056051.0000000007A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1698171992.000000000324D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000000.1666220806.00000000009D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezrjF.exe4 vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1698171992.0000000002F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000000.00000002.1697429885.000000000104E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2909787604.0000000000D57000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2909580142.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exeBinary or memory string: OriginalFilenamezrjF.exe4 vs z1Estadodecuentadelcliente.exe
                Source: z1Estadodecuentadelcliente.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 824, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 3104, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: z1Estadodecuentadelcliente.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, L8DQDxNUVUhEI70IqQ.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, L8DQDxNUVUhEI70IqQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, r0myXh6jG1bottCgTw.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, r0myXh6jG1bottCgTw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, r0myXh6jG1bottCgTw.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, r0myXh6jG1bottCgTw.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, r0myXh6jG1bottCgTw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, r0myXh6jG1bottCgTw.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, L8DQDxNUVUhEI70IqQ.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, L8DQDxNUVUhEI70IqQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/6@2/2
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z1Estadodecuentadelcliente.exe.logJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouzrmppx.uiz.ps1Jump to behavior
                Source: z1Estadodecuentadelcliente.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: z1Estadodecuentadelcliente.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, z1Estadodecuentadelcliente.exe, 00000006.00000002.2911264062.0000000002DEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: z1Estadodecuentadelcliente.exeVirustotal: Detection: 22%
                Source: z1Estadodecuentadelcliente.exeReversingLabs: Detection: 31%
                Source: unknownProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: z1Estadodecuentadelcliente.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: z1Estadodecuentadelcliente.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, r0myXh6jG1bottCgTw.cs.Net Code: jMeaJDTrw2 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, r0myXh6jG1bottCgTw.cs.Net Code: jMeaJDTrw2 System.Reflection.Assembly.Load(byte[])
                Source: z1Estadodecuentadelcliente.exeStatic PE information: 0xFAB1E83A [Sat Apr 14 03:08:42 2103 UTC]
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_0610608D push dword ptr [ecx+ecx-75h]; iretd 0_2_0610609A
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_0756DF30 pushad ; iretd 0_2_0756DF31
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_0756CA00 pushad ; ret 0_2_0756CA01
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07DDE085 push 8B000001h; iretd 0_2_07DDE0B4
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07DDE0BF push 8B000001h; iretd 0_2_07DDE0C5
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 0_2_07E06233 push esp; ret 0_2_07E06239
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_011FB3A8 push eax; iretd 6_2_011FB445
                Source: z1Estadodecuentadelcliente.exeStatic PE information: section name: .text entropy: 7.780407212604107
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, EUqUjPcZKFFDylEKrl.csHigh entropy of concatenated method names: 'EPXbE8PFhq', 'sjjbueYKe7', 'wNYbJtvw4H', 'KOvbPpRnm8', 'X40bTmfGej', 'QjcbHcDWO6', 'HnKbVPIDek', 'BnubNK1sPF', 'RSpb8LGVDo', 'JueblDXu3m'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, kU1kUp8I3HxsD2sxdf.csHigh entropy of concatenated method names: 'H9WiPi0Rls', 'pRriHCXNmk', 'hHriNevBJy', 'GrBi8jLdpm', 'dZpiUTIuRE', 'OAGiSLjmK2', 'xoRixYlE4j', 'NLMiZ4OJvI', 'FsZih5AKba', 'Tg5isycxrA'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, bmfQGQzXDkla8thfh1.csHigh entropy of concatenated method names: 'rJWsH19AhT', 'aVKsNxnNPg', 'Si5s84EsiD', 'SZisfeK7ts', 'Ahbs509EJQ', 'jgvsXPVa9t', 'rpuso6pAMF', 'oNssGdImMq', 't4AsExJmJp', 'e4CsuvqBt1'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, muA3kkvOmpkXH7ARJx.csHigh entropy of concatenated method names: 'jDPxnCLhyj', 'QQBx998eLs', 'YIeZWKdhDp', 'YkkZ4QXApg', 'EyDx2k0fuM', 'g9Uxrx72Hd', 'K3jxBiSL2v', 'xAQxjhg3YD', 'sIrxMtJAEk', 'OZCxQJf5vI'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, tP5dN2XxkBaIB6hXeu.csHigh entropy of concatenated method names: 'c0kDG4xVNj', 'reTDEMQtRY', 'PnSDJWKPmO', 'rXsDPoTnNX', 'XCaDH2Yw2g', 'PRnDV57nBq', 'L24D88wfT8', 'sLxDlgI4E5', 'kjoeLJfcJ4EdtHB4N6Y', 'z3Zi6CfIheFtmM173XD'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, CPASjo97NytCSsQG8R.csHigh entropy of concatenated method names: 'XxwsicTvJC', 'WwFsynPoEx', 'ux9sDs7tbJ', 'vmAsbDiGF7', 'UeoshqWnoB', 'U60s6TkHC7', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, r0myXh6jG1bottCgTw.csHigh entropy of concatenated method names: 'ureemCx6V7', 'iKWeFtCktW', 'eBCeYm8XuH', 'd1FeiUQSQe', 'KY5eyT9Le9', 'oVQeDlfSEE', 'qrFebr5UgT', 'BQ8e6FJuMe', 'SpCek3gHWu', 'SVZew3AWYV'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, Ro1QibfilguUUD2EQp.csHigh entropy of concatenated method names: 'T8ADmZiNnF', 'ISiDYe831e', 'CkQDyj8vos', 'hqnDbbTbdp', 'dv4D6IwTsy', 'nIpydHVD8X', 'lk8yv0CZp9', 'uIcyOJfqLS', 'FNTyncXvFo', 'PpmyIQr2ak'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, sxO0QOKxg89hSStq1r.csHigh entropy of concatenated method names: 'gQUJI7Nek', 'WfePxoWSK', 'gYcH1OSxo', 'WFpVlOK6W', 'IX48m9vhu', 'hrLla8JZh', 'yPclWRT2bmQkuxCvPV', 'XHRsJwL32jIMurmbB7', 'z6QZUe84T', 'hgiswVdMW'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, jhAggNIoQFoHgiOfNk.csHigh entropy of concatenated method names: 'X1RhfX7orj', 'Gcfh5OJUbb', 'i7YhLlELR3', 'NKKhXgGcOy', 'zV7hoc5Y7h', 'LIghgMNkYk', 'YEFhpWdnEl', 'Ngeh0Lojfr', 'JBBhcSwJIv', 'H7ShqKYHKd'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, E04ISU4WgvvHluj4Qfi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Savs2cYSB7', 'm3CsrdAexB', 'jK7sB8VlYH', 'L3gsji3NQs', 'BgbsMTA35l', 'mqhsQntL9j', 'miCsReyY8U'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, HdDsFSi0WGnCbFPYp7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gVEKI2YJQU', 'OIIK9WEw8o', 'cMqKzSj7qy', 'dfneW7t70C', 'Hj9e4v0rFE', 'esEeKNINX2', 'Lk0eeEXh3q', 'odeiuXsWf1DhBCytC2a'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, JJt2raYPejUhvetL1x.csHigh entropy of concatenated method names: 'Dispose', 'cEG4I26Wpw', 'EEpK5KdF4Y', 'SxgXMGPFCP', 'kOR496oChf', 'j7f4ztBSLX', 'ProcessDialogKey', 'P3bKWhAggN', 'JQFK4oHgiO', 'GNkKKHPASj'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, mRWqTv4KM91cmh4jYCT.csHigh entropy of concatenated method names: 'ToString', 'VP9AN2CDJ9', 'WTwA8hiaRi', 'MSNAl5vTE1', 'm1nAf2uBrv', 'qTuA5hNKFr', 'EImAL1jurV', 'MjrAXpVnsW', 'B8I1RkFzbBx756QYJLN', 'gTPCBNWyUcIP3PFYD9o'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, zMpQ2L44VdF8FwCbjcb.csHigh entropy of concatenated method names: 'KoBs9lSOXg', 'dRZszYagiT', 'weoAWWkG5f', 'VgkA4k69ZN', 'EZFAK8QndF', 'A2oAe9CVvG', 'ox8Aa3tdd9', 'U15AmetTKE', 'p1bAFSZk6M', 'aPeAYlexuv'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, L8DQDxNUVUhEI70IqQ.csHigh entropy of concatenated method names: 'qWlYjVT4Af', 'J8FYMR5QOD', 'UiDYQd4jo9', 'GonYR43bsm', 'WVvYd766bi', 'J5WYvCbwgu', 'IpOYOD8KPk', 'OrsYnLLgrH', 'dvPYIFsl09', 'PpNY9sanWS'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, g64IREa3RCrGdDvDRs.csHigh entropy of concatenated method names: 'MRp4b8DQDx', 'oVU46hEI70', 'LI34wHxsD2', 'sxd41fkgSR', 'KDn4UslMo1', 'Sib4SilguU', 'M0r9GTDgZt8Tqk4MAi', 'DhcYjI6VWOfHlMfiOU', 'Bp744ylp0u', 'QdV4eC0N9O'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, rTLtTtOG2eEG26Wpwk.csHigh entropy of concatenated method names: 'kPJhUgSLN2', 'NWGhx3ee60', 'nBlhhKfO3a', 'xvehAJSgVR', 'H6whtpulWO', 'xbDhGUUIWh', 'Dispose', 'orZZFaAMnX', 'ADqZYgBSGl', 'BLkZiRrtES'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, wAxsIuji8relaYPX4Y.csHigh entropy of concatenated method names: 'yCUUqJdpFX', 'kDnUrJLdCJ', 'TowUj5Sro5', 'BSDUMWU2Id', 'oJjU5M2txv', 'p2SULwMjEu', 'PdTUXVDuSX', 'zNgUo0lmVA', 'xvYUg6XP5m', 'XMbUpOsFs1'
                Source: 0.2.z1Estadodecuentadelcliente.exe.4079190.5.raw.unpack, ysypbfBOgUtrQnJDDA.csHigh entropy of concatenated method names: 'Eds7N9Yt0D', 'Uhm78Q3lJF', 'H577frI55P', 'EWG759s2bQ', 'Cal7XXsjSJ', 'WQa7o8Td3w', 'vFj7pZBT8A', 'NTa70Qj2mX', 'Vbv7qV9qwF', 'O8c72VaTFq'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, EUqUjPcZKFFDylEKrl.csHigh entropy of concatenated method names: 'EPXbE8PFhq', 'sjjbueYKe7', 'wNYbJtvw4H', 'KOvbPpRnm8', 'X40bTmfGej', 'QjcbHcDWO6', 'HnKbVPIDek', 'BnubNK1sPF', 'RSpb8LGVDo', 'JueblDXu3m'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, kU1kUp8I3HxsD2sxdf.csHigh entropy of concatenated method names: 'H9WiPi0Rls', 'pRriHCXNmk', 'hHriNevBJy', 'GrBi8jLdpm', 'dZpiUTIuRE', 'OAGiSLjmK2', 'xoRixYlE4j', 'NLMiZ4OJvI', 'FsZih5AKba', 'Tg5isycxrA'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, bmfQGQzXDkla8thfh1.csHigh entropy of concatenated method names: 'rJWsH19AhT', 'aVKsNxnNPg', 'Si5s84EsiD', 'SZisfeK7ts', 'Ahbs509EJQ', 'jgvsXPVa9t', 'rpuso6pAMF', 'oNssGdImMq', 't4AsExJmJp', 'e4CsuvqBt1'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, muA3kkvOmpkXH7ARJx.csHigh entropy of concatenated method names: 'jDPxnCLhyj', 'QQBx998eLs', 'YIeZWKdhDp', 'YkkZ4QXApg', 'EyDx2k0fuM', 'g9Uxrx72Hd', 'K3jxBiSL2v', 'xAQxjhg3YD', 'sIrxMtJAEk', 'OZCxQJf5vI'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, tP5dN2XxkBaIB6hXeu.csHigh entropy of concatenated method names: 'c0kDG4xVNj', 'reTDEMQtRY', 'PnSDJWKPmO', 'rXsDPoTnNX', 'XCaDH2Yw2g', 'PRnDV57nBq', 'L24D88wfT8', 'sLxDlgI4E5', 'kjoeLJfcJ4EdtHB4N6Y', 'z3Zi6CfIheFtmM173XD'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, CPASjo97NytCSsQG8R.csHigh entropy of concatenated method names: 'XxwsicTvJC', 'WwFsynPoEx', 'ux9sDs7tbJ', 'vmAsbDiGF7', 'UeoshqWnoB', 'U60s6TkHC7', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, r0myXh6jG1bottCgTw.csHigh entropy of concatenated method names: 'ureemCx6V7', 'iKWeFtCktW', 'eBCeYm8XuH', 'd1FeiUQSQe', 'KY5eyT9Le9', 'oVQeDlfSEE', 'qrFebr5UgT', 'BQ8e6FJuMe', 'SpCek3gHWu', 'SVZew3AWYV'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, Ro1QibfilguUUD2EQp.csHigh entropy of concatenated method names: 'T8ADmZiNnF', 'ISiDYe831e', 'CkQDyj8vos', 'hqnDbbTbdp', 'dv4D6IwTsy', 'nIpydHVD8X', 'lk8yv0CZp9', 'uIcyOJfqLS', 'FNTyncXvFo', 'PpmyIQr2ak'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, sxO0QOKxg89hSStq1r.csHigh entropy of concatenated method names: 'gQUJI7Nek', 'WfePxoWSK', 'gYcH1OSxo', 'WFpVlOK6W', 'IX48m9vhu', 'hrLla8JZh', 'yPclWRT2bmQkuxCvPV', 'XHRsJwL32jIMurmbB7', 'z6QZUe84T', 'hgiswVdMW'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, jhAggNIoQFoHgiOfNk.csHigh entropy of concatenated method names: 'X1RhfX7orj', 'Gcfh5OJUbb', 'i7YhLlELR3', 'NKKhXgGcOy', 'zV7hoc5Y7h', 'LIghgMNkYk', 'YEFhpWdnEl', 'Ngeh0Lojfr', 'JBBhcSwJIv', 'H7ShqKYHKd'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, E04ISU4WgvvHluj4Qfi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Savs2cYSB7', 'm3CsrdAexB', 'jK7sB8VlYH', 'L3gsji3NQs', 'BgbsMTA35l', 'mqhsQntL9j', 'miCsReyY8U'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, HdDsFSi0WGnCbFPYp7.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gVEKI2YJQU', 'OIIK9WEw8o', 'cMqKzSj7qy', 'dfneW7t70C', 'Hj9e4v0rFE', 'esEeKNINX2', 'Lk0eeEXh3q', 'odeiuXsWf1DhBCytC2a'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, JJt2raYPejUhvetL1x.csHigh entropy of concatenated method names: 'Dispose', 'cEG4I26Wpw', 'EEpK5KdF4Y', 'SxgXMGPFCP', 'kOR496oChf', 'j7f4ztBSLX', 'ProcessDialogKey', 'P3bKWhAggN', 'JQFK4oHgiO', 'GNkKKHPASj'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, mRWqTv4KM91cmh4jYCT.csHigh entropy of concatenated method names: 'ToString', 'VP9AN2CDJ9', 'WTwA8hiaRi', 'MSNAl5vTE1', 'm1nAf2uBrv', 'qTuA5hNKFr', 'EImAL1jurV', 'MjrAXpVnsW', 'B8I1RkFzbBx756QYJLN', 'gTPCBNWyUcIP3PFYD9o'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, zMpQ2L44VdF8FwCbjcb.csHigh entropy of concatenated method names: 'KoBs9lSOXg', 'dRZszYagiT', 'weoAWWkG5f', 'VgkA4k69ZN', 'EZFAK8QndF', 'A2oAe9CVvG', 'ox8Aa3tdd9', 'U15AmetTKE', 'p1bAFSZk6M', 'aPeAYlexuv'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, L8DQDxNUVUhEI70IqQ.csHigh entropy of concatenated method names: 'qWlYjVT4Af', 'J8FYMR5QOD', 'UiDYQd4jo9', 'GonYR43bsm', 'WVvYd766bi', 'J5WYvCbwgu', 'IpOYOD8KPk', 'OrsYnLLgrH', 'dvPYIFsl09', 'PpNY9sanWS'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, g64IREa3RCrGdDvDRs.csHigh entropy of concatenated method names: 'MRp4b8DQDx', 'oVU46hEI70', 'LI34wHxsD2', 'sxd41fkgSR', 'KDn4UslMo1', 'Sib4SilguU', 'M0r9GTDgZt8Tqk4MAi', 'DhcYjI6VWOfHlMfiOU', 'Bp744ylp0u', 'QdV4eC0N9O'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, rTLtTtOG2eEG26Wpwk.csHigh entropy of concatenated method names: 'kPJhUgSLN2', 'NWGhx3ee60', 'nBlhhKfO3a', 'xvehAJSgVR', 'H6whtpulWO', 'xbDhGUUIWh', 'Dispose', 'orZZFaAMnX', 'ADqZYgBSGl', 'BLkZiRrtES'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, wAxsIuji8relaYPX4Y.csHigh entropy of concatenated method names: 'yCUUqJdpFX', 'kDnUrJLdCJ', 'TowUj5Sro5', 'BSDUMWU2Id', 'oJjU5M2txv', 'p2SULwMjEu', 'PdTUXVDuSX', 'zNgUo0lmVA', 'xvYUg6XP5m', 'XMbUpOsFs1'
                Source: 0.2.z1Estadodecuentadelcliente.exe.8020000.7.raw.unpack, ysypbfBOgUtrQnJDDA.csHigh entropy of concatenated method names: 'Eds7N9Yt0D', 'Uhm78Q3lJF', 'H577frI55P', 'EWG759s2bQ', 'Cal7XXsjSJ', 'WQa7o8Td3w', 'vFj7pZBT8A', 'NTa70Qj2mX', 'Vbv7qV9qwF', 'O8c72VaTFq'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 824, type: MEMORYSTR
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: 4EF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: 9B50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: 8410000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: AB50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: BB50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: 11F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: 2B40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239890Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239780Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239653Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239546Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239436Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239324Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239218Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239065Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238937Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238828Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238691Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238531Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238400Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238293Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238134Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238024Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237864Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237619Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237504Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237355Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237234Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeWindow / User API: threadDelayed 1789Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeWindow / User API: threadDelayed 1154Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6388Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3370Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -239890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -239780s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -239653s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -239546s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -239436s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -239324s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -239218s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -239065s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -238937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -238828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -238691s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -238531s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -238400s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -238293s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -238134s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -238024s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -237864s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -237619s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -237504s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -237355s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 6616Thread sleep time: -237234s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe TID: 3636Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239890Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239780Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239653Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239546Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239436Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239324Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239218Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 239065Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238937Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238828Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238691Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238531Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238400Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238293Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238134Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 238024Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237864Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237619Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237504Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237355Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 237234Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: z1Estadodecuentadelcliente.exe, 00000006.00000002.2909959910.0000000000E88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeCode function: 6_2_05330AB8 LdrInitializeThunk,LdrInitializeThunk,6_2_05330AB8
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeMemory written: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeProcess created: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe "C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MSIL Logger
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 3104, type: MEMORYSTR
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 3104, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 3104, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\z1Estadodecuentadelcliente.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected MSIL Logger
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 3104, type: MEMORYSTR
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 3104, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.z1Estadodecuentadelcliente.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f75240.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.z1Estadodecuentadelcliente.exe.3f5dc20.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2909580142.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699566849.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 824, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: z1Estadodecuentadelcliente.exe PID: 3104, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Security Software Discovery                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                Input Capture                		1
                Process Discovery                		Remote Desktop Protocol1
                Input Capture                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model1
                Data from Local System                		13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1630366 Sample: z1Estadodecuentadelcliente.exe Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 28 reallyfreegeoip.org 2->28 30 checkip.dyndns.org 2->30 32 checkip.dyndns.com 2->32 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 46 9 other signatures 2->46 8 z1Estadodecuentadelcliente.exe 4 2->8         started        signatures3 44 Tries to detect the country of the analysis system (by using the IP) 28->44 process4 file5 26 C:\...\z1Estadodecuentadelcliente.exe.log, ASCII 8->26 dropped 48 Adds a directory exclusion to Windows Defender 8->48 50 Injects a PE file into a foreign processes 8->50 12 z1Estadodecuentadelcliente.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        18 z1Estadodecuentadelcliente.exe 8->18         started        20 z1Estadodecuentadelcliente.exe 8->20         started        signatures6 process7 dnsIp8 34 checkip.dyndns.com 158.101.44.242, 49736, 80 ORACLE-BMC-31898US United States 12->34 36 reallyfreegeoip.org 104.21.80.1, 443, 49737 CLOUDFLARENETUS United States 12->36 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Loading BitLocker PowerShell Module 16->56 22 WmiPrvSE.exe 16->22         started        24 conhost.exe 16->24         started        signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.