Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Transferencia Bancaria I2241624AH.exe

Overview

General Information

Sample name:Transferencia Bancaria I2241624AH.exe
Analysis ID:1633326
MD5:ff47fc28052f9b2f5443126881393d7a
SHA1:0fa100a26818baafaeb0dfd96519a5a4148a2469
SHA256:f7e650b2823abede9c1fb356bb5928a3333d8cbf8f649ddd63830c04b3b14018
Tags:AgentTeslaexeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary is likely a compiled AutoIt script file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Transferencia Bancaria I2241624AH.exe (PID: 6604 cmdline: "C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exe" MD5: FF47FC28052F9B2F5443126881393D7A)
    • RegSvcs.exe (PID: 4888 cmdline: "C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.gizemetiket.com.tr", "Username": "pgizemM6", "Password": "giz95Ffg"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3710888369.000000000251C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
        • 0x33091:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
        • 0x33103:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
        • 0x3318d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
        • 0x3321f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        • 0x33289:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
        • 0x332fb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
        • 0x33391:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
        • 0x33421:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
        00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
        • 0x305b6:$s2: GetPrivateProfileString
        • 0x2fc6f:$s3: get_OSFullName
        • 0x312ba:$s5: remove_Key
        • 0x31447:$s5: remove_Key
        • 0x322ad:$s6: FtpWebRequest
        • 0x33073:$s7: logins
        • 0x335e5:$s7: logins
        • 0x3635e:$s7: logins
        • 0x363a8:$s7: logins
        • 0x37ca6:$s7: logins
        • 0x36f42:$s9: 1.85 (Hash, version 2, native byte-order)
        Click to see the 8 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.RegSvcs.exe.580000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          2.2.RegSvcs.exe.580000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            2.2.RegSvcs.exe.580000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
            • 0x33091:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
            • 0x33103:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
            • 0x3318d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
            • 0x3321f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
            • 0x33289:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
            • 0x332fb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
            • 0x33391:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
            • 0x33421:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
            2.2.RegSvcs.exe.580000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
            • 0x305b6:$s2: GetPrivateProfileString
            • 0x2fc6f:$s3: get_OSFullName
            • 0x312ba:$s5: remove_Key
            • 0x31447:$s5: remove_Key
            • 0x322ad:$s6: FtpWebRequest
            • 0x33073:$s7: logins
            • 0x335e5:$s7: logins
            • 0x3635e:$s7: logins
            • 0x363a8:$s7: logins
            • 0x37ca6:$s7: logins
            • 0x36f42:$s9: 1.85 (Hash, version 2, native byte-order)
            0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 7 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: Transferencia Bancaria I2241624AH.exeAvira: detected
              Found malware configuration
              Source: 2.2.RegSvcs.exe.580000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.gizemetiket.com.tr", "Username": "pgizemM6", "Password": "giz95Ffg"}
              Multi AV Scanner detection for submitted file
              Source: Transferencia Bancaria I2241624AH.exeVirustotal: Detection: 73%Perma Link
              Source: Transferencia Bancaria I2241624AH.exeReversingLabs: Detection: 68%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49693 version: TLS 1.2
              Source: Binary string: wntdll.pdbUGP source: Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1247568606.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1245773311.0000000004360000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1247568606.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1245773311.0000000004360000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E6445A
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6C6D1 FindFirstFileW,FindClose,0_2_00E6C6D1
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E6C75C
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6EF95
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6F0F2
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6F3F3
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E637EF
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E63B12
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6BCBC

              Networking

              barindex
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 93.89.225.40 ports 59023,59022,59110,59025,59024,59030,59031,1,59118,2,59015,59017,59028,21
              Source: global trafficTCP traffic: 192.168.2.6:63768 -> 93.89.225.40:59015
              Source: global trafficTCP traffic: 192.168.2.6:63757 -> 162.159.36.2:53
              Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
              Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
              Source: Joe Sandbox ViewIP Address: 93.89.225.40 93.89.225.40
              Source: Joe Sandbox ViewASN Name: TR-FBSTR TR-FBSTR
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownFTP traffic detected: 93.89.225.40:21 -> 192.168.2.6:63767 220 Microsoft FTP Service
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00E722EE
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: api.ipify.org
              Source: global trafficDNS traffic detected: DNS query: ftp.gizemetiket.com.tr
              Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
              Source: RegSvcs.exe, 00000002.00000002.3710888369.0000000002534000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710888369.0000000002732000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710888369.000000000251C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.gizemetiket.com.tr
              Source: RegSvcs.exe, 00000002.00000002.3710888369.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Transferencia Bancaria I2241624AH.exe, 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3709098226.0000000000582000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
              Source: Transferencia Bancaria I2241624AH.exe, 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3710888369.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3709098226.0000000000582000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.ipify.org
              Source: RegSvcs.exe, 00000002.00000002.3710888369.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
              Source: RegSvcs.exe, 00000002.00000002.3710888369.00000000024A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
              Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
              Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49693 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, hxAF.cs.Net Code: fM6x5OA38
              Installs a global keyboard hook
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E74164
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E74164
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E73F66
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00E6001C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E8CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E8CABC

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Source: 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: This is a third-party compiled AutoIt script.0_2_00E03B3A
              Source: Transferencia Bancaria I2241624AH.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: Transferencia Bancaria I2241624AH.exe, 00000000.00000002.1250281168.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_93739b18-f
              Source: Transferencia Bancaria I2241624AH.exe, 00000000.00000002.1250281168.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_9dff0d62-a
              Source: Transferencia Bancaria I2241624AH.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_40477bd6-8
              Source: Transferencia Bancaria I2241624AH.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c240b015-5
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00E6A1EF
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00E58310
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E651BD
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E0E6A00_2_00E0E6A0
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E2D9750_2_00E2D975
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E0FCE00_2_00E0FCE0
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E221C50_2_00E221C5
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E362D20_2_00E362D2
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E803DA0_2_00E803DA
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E3242E0_2_00E3242E
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E225FA0_2_00E225FA
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E166E10_2_00E166E1
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E5E6160_2_00E5E616
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E3878F0_2_00E3878F
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E688890_2_00E68889
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E368440_2_00E36844
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E808570_2_00E80857
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E188080_2_00E18808
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E2CB210_2_00E2CB21
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E36DB60_2_00E36DB6
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E16F9E0_2_00E16F9E
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E130300_2_00E13030
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E2F1D90_2_00E2F1D9
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E231870_2_00E23187
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E012870_2_00E01287
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E214840_2_00E21484
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E155200_2_00E15520
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E276960_2_00E27696
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E157600_2_00E15760
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E219780_2_00E21978
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E39AB50_2_00E39AB5
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E87DDB0_2_00E87DDB
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E2BDA60_2_00E2BDA6
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E21D900_2_00E21D90
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E13FE00_2_00E13FE0
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E0DF000_2_00E0DF00
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_0192A8180_2_0192A818
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0231E0D82_2_0231E0D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02314A582_2_02314A58
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0231AA9A2_2_0231AA9A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02313E402_2_02313E40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0231DC602_2_0231DC60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_023141882_2_02314188
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F665D02_2_05F665D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F655C02_2_05F655C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F67D602_2_05F67D60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F630782_2_05F63078
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F6B2102_2_05F6B210
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F65CB72_2_05F65CB7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F676802_2_05F67680
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F600402_2_05F60040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F6E3902_2_05F6E390
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060514032_2_06051403
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060514082_2_06051408
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05F600072_2_05F60007
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: String function: 00E28900 appears 42 times
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: String function: 00E20AE3 appears 70 times
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: String function: 00E07DE1 appears 35 times
              Source: Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1246039348.00000000042E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Transferencia Bancaria I2241624AH.exe
              Source: Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1247242720.000000000448D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Transferencia Bancaria I2241624AH.exe
              Source: Transferencia Bancaria I2241624AH.exe, 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename5bc4a179-7022-47b4-bc67-c0ba357abdc4.exe4 vs Transferencia Bancaria I2241624AH.exe
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, N43UVggPg.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, N43UVggPg.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, Ow96S4wT.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, MjzNdC.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, MjzNdC.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@4/2
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6A06A GetLastError,FormatMessageW,0_2_00E6A06A
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E581CB AdjustTokenPrivileges,CloseHandle,0_2_00E581CB
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E587E1
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E6B3FB
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E7EE0D
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E783BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00E783BB
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E04E89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeFile created: C:\Users\user\AppData\Local\Temp\autA4EE.tmpJump to behavior
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Transferencia Bancaria I2241624AH.exeVirustotal: Detection: 73%
              Source: Transferencia Bancaria I2241624AH.exeReversingLabs: Detection: 68%
              Source: unknownProcess created: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exe "C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exe"
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exe"
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
              Source: Transferencia Bancaria I2241624AH.exeStatic file information: File size 1069056 > 1048576
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: wntdll.pdbUGP source: Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1247568606.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1245773311.0000000004360000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1247568606.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, Transferencia Bancaria I2241624AH.exe, 00000000.00000003.1245773311.0000000004360000.00000004.00001000.00020000.00000000.sdmp
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: Transferencia Bancaria I2241624AH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E04B37 LoadLibraryA,GetProcAddress,0_2_00E04B37
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E28945 push ecx; ret 0_2_00E28958
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02310C6D push edi; retf 2_2_02310C7A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02310C45 push ebx; retf 2_2_02310C52
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06050313 push esp; iretd 2_2_06050325
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E048D7
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E85376
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E23187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E23187
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeAPI/Special instruction interceptor: Address: 192A43C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599779Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598780Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598658Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598386Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598278Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598157Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597942Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597358Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597125Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596797Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596468Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595366Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595247Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595139Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595030Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594921Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594809Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594700Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7493Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2358Jump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105624
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeAPI coverage: 4.4 %
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E6445A
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6C6D1 FindFirstFileW,FindClose,0_2_00E6C6D1
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E6C75C
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6EF95
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6F0F2
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6F3F3
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E637EF
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E63B12
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6BCBC
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E049A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599779Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598780Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598658Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598386Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598278Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598157Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597942Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597358Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597125Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596797Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596468Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595366Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595247Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595139Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595030Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594921Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594809Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594700Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594359Jump to behavior
              Source: RegSvcs.exe, 00000002.00000002.3713750099.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeAPI call chain: ExitProcess graph end nodegraph_0-104459
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeAPI call chain: ExitProcess graph end nodegraph_0-104678
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E73F09 BlockInput,0_2_00E73F09
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E03B3A
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E35A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00E35A7C
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E04B37 LoadLibraryA,GetProcAddress,0_2_00E04B37
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_01929068 mov eax, dword ptr fs:[00000030h]0_2_01929068
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_0192A708 mov eax, dword ptr fs:[00000030h]0_2_0192A708
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_0192A6A8 mov eax, dword ptr fs:[00000030h]0_2_0192A6A8
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00E580A9
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E2A155
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E2A124 SetUnhandledExceptionFilter,0_2_00E2A124
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 382008Jump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E587B1 LogonUserW,0_2_00E587B1
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E03B3A
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E048D7
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E64C7F mouse_event,0_2_00E64C7F
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E57CAF
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E5874B
              Source: Transferencia Bancaria I2241624AH.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: Transferencia Bancaria I2241624AH.exeBinary or memory string: Shell_TrayWnd
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E2862B cpuid 0_2_00E2862B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E34E87
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E41E06 GetUserNameW,0_2_00E41E06
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00E33F3A
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E049A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.3710888369.000000000251C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3710888369.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3709098226.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Transferencia Bancaria I2241624AH.exe PID: 6604, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4888, type: MEMORYSTR
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Transferencia Bancaria I2241624AH.exeBinary or memory string: WIN_81
              Source: Transferencia Bancaria I2241624AH.exeBinary or memory string: WIN_XP
              Source: Transferencia Bancaria I2241624AH.exeBinary or memory string: WIN_XPe
              Source: Transferencia Bancaria I2241624AH.exeBinary or memory string: WIN_VISTA
              Source: Transferencia Bancaria I2241624AH.exeBinary or memory string: WIN_7
              Source: Transferencia Bancaria I2241624AH.exeBinary or memory string: WIN_8
              Source: Transferencia Bancaria I2241624AH.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
              Source: Yara matchFile source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3710888369.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3709098226.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Transferencia Bancaria I2241624AH.exe PID: 6604, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4888, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 2.2.RegSvcs.exe.580000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Transferencia Bancaria I2241624AH.exe.3d00000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.3710888369.000000000251C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1251329143.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3710888369.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3709098226.0000000000582000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Transferencia Bancaria I2241624AH.exe PID: 6604, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4888, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00E76283
              Source: C:\Users\user\Desktop\Transferencia Bancaria I2241624AH.exeCode function: 0_2_00E76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00E76747

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		121
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		2
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		2
              Ingress Tool Transfer              		1
              Exfiltration Over Alternative Protocol              		1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts2
              Native API              		2
              Valid Accounts              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		221
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol2
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
              Valid Accounts              		2
              Obfuscated Files or Information              		1
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS138
              System Information Discovery              		Distributed Component Object Model221
              Input Capture              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		2
              Valid Accounts              		LSA Secrets241
              Security Software Discovery              		SSH4
              Clipboard Data              		23
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
              Virtualization/Sandbox Evasion              		Cached Domain Credentials121
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
              Access Token Manipulation              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
              Process Injection              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.