Edit tour

Windows Analysis Report
Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Overview

General Information

Sample name:	Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe renamed because original name is a hash value
Original sample name:	Presupuesto - N 270 - 0020250314-0000945.com.exe
Analysis ID:	1638692
MD5:	ef142d46e1a677aa53b8a418a1795eb0
SHA1:	8a6047300fc1dece2a7c4bd3d0000c77926e780e
SHA256:	39614b9a1e5cce6b1e570d488c384a02b6240cfab2772f85fb31f6d82d466ee5
Tags:	exeuser-lowmal3
Infos:

Detection

Remcos, DarkTortilla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected Remcos RAT

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to delay execution (extensive OutputDebugStringW loop)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe (PID: 5888 cmdline: "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe (PID: 7324 cmdline: "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

wscript.exe (PID: 7540 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7644 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

System.exe (PID: 7704 cmdline: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

System.exe (PID: 5644 cmdline: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

System.exe (PID: 7752 cmdline: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

System.exe (PID: 7288 cmdline: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

System.exe (PID: 7948 cmdline: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

System.exe (PID: 2556 cmdline: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

System.exe (PID: 8180 cmdline: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

System.exe (PID: 6312 cmdline: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

System.exe (PID: 5544 cmdline: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe" MD5: EF142D46E1A677AA53B8A418A1795EB0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["rency.ydns.eu:2404:1", "wqo9.firewall-gateway.de:4045:1", "code1.ydns.eu:9302:1"], "Assigned name": "MN", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "System.exe", "Startup value": "MicroSoft", "Hide file": "Enable", "Mutex": "TCWd3hQ5LP1Fcm2U5B0fn3xuWp5u5rQsC2Y-JDRSXO", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "MicroSoft Outlook", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.3315275019.00000000031AF000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1683309567.0000000003D00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x13810:$a1: Remcos restarted by watchdog! 0x13d68:$a3: %02i:%02i:%02i:%03i 0x140ed:$a4: * Remcos v
0000000F.00000002.2629172496.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000E.00000002.2597847753.0000000004750000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.2597847753.0000000004750000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x67d22:$a1: Remcos restarted by watchdog! 0x6827a:$a3: %02i:%02i:%02i:%03i 0x685ff:$a4: * Remcos v
00000016.00000002.2627000152.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x686a8:$a1: Remcos restarted by watchdog! 0x68c00:$a3: %02i:%02i:%02i:%03i 0x68f85:$a4: * Remcos v
0000000E.00000002.2581814968.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000001A.00000002.2813689984.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1683309567.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1683309567.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb2d10:$a1: Remcos restarted by watchdog! 0xb3268:$a3: %02i:%02i:%02i:%03i 0xb35ed:$a4: * Remcos v
0000000A.00000002.1676780854.000000000117A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000015.00000002.3312959719.0000000001725000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
00000017.00000002.2702553502.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1687574109.000000000B3E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000014.00000002.2846389748.0000000004075000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000002.2846389748.0000000004075000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x137d0:$a1: Remcos restarted by watchdog! 0x13d28:$a3: %02i:%02i:%02i:%03i 0x140ad:$a4: * Remcos v
0000000E.00000002.2597847753.00000000048DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.2597847753.00000000048DF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68338:$a1: Remcos restarted by watchdog! 0x68890:$a3: %02i:%02i:%02i:%03i 0x68c15:$a4: * Remcos v
00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.2724347584.0000000003C1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.2724347584.0000000003C1E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68670:$a1: Remcos restarted by watchdog! 0x68bc8:$a3: %02i:%02i:%02i:%03i 0x68f4d:$a4: * Remcos v
00000000.00000002.1672183431.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2705898459.0000000002543000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000014.00000002.2816798550.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x7aa3:$a1: Remcos restarted by watchdog! 0x728b5:$a1: Remcos restarted by watchdog! 0x7fda:$a3: %02i:%02i:%02i:%03i 0x8593:$a3: %02i:%02i:%02i:%03i 0x72dec:$a3: %02i:%02i:%02i:%03i 0x733a5:$a3: %02i:%02i:%02i:%03i 0x81fc:$a4: * Remcos v 0x7300e:$a4: * Remcos v
Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 7324	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 7324	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x140fc:$a1: Remcos restarted by watchdog! 0x14633:$a3: %02i:%02i:%02i:%03i 0x14bec:$a3: %02i:%02i:%02i:%03i 0x14855:$a4: * Remcos v
Process Memory Space: System.exe PID: 7704	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: System.exe PID: 7704	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: System.exe PID: 7704	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: System.exe PID: 7704	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x406a9:$a1: Remcos restarted by watchdog! 0x8fe1e:$a1: Remcos restarted by watchdog! 0x40be0:$a3: %02i:%02i:%02i:%03i 0x41199:$a3: %02i:%02i:%02i:%03i 0x90355:$a3: %02i:%02i:%02i:%03i 0x9090e:$a3: %02i:%02i:%02i:%03i 0x40e02:$a4: * Remcos v 0x90577:$a4: * Remcos v
Process Memory Space: System.exe PID: 7752	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: System.exe PID: 7752	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: System.exe PID: 7752	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: System.exe PID: 7752	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x28db9:$a1: Remcos restarted by watchdog! 0x292f0:$a3: %02i:%02i:%02i:%03i 0x298a9:$a3: %02i:%02i:%02i:%03i 0x29512:$a4: * Remcos v
Process Memory Space: System.exe PID: 7948	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: System.exe PID: 7948	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: System.exe PID: 7948	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: System.exe PID: 7948	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x9c441:$a1: Remcos restarted by watchdog! 0x9c978:$a3: %02i:%02i:%02i:%03i 0x9cf31:$a3: %02i:%02i:%02i:%03i 0x9cb9a:$a4: * Remcos v
Process Memory Space: System.exe PID: 8180	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: System.exe PID: 8180	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: System.exe PID: 8180	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: System.exe PID: 8180	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x56d69:$a1: Remcos restarted by watchdog! 0x572a0:$a3: %02i:%02i:%02i:%03i 0x57859:$a3: %02i:%02i:%02i:%03i 0x574c2:$a4: * Remcos v
Process Memory Space: System.exe PID: 5644	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: System.exe PID: 7288	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: System.exe PID: 2556	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: System.exe PID: 5544	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 54 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.b3e0000.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3d00370.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.b3e0000.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3d4b028.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
14.2.System.exe.48df958.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.System.exe.48df958.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
14.2.System.exe.48df958.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
14.2.System.exe.48df958.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.System.exe.4750342.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.System.exe.3c1ec90.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.System.exe.4750342.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
14.2.System.exe.4750342.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
14.2.System.exe.4750342.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
17.2.System.exe.3c1ec90.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
17.2.System.exe.3c1ec90.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
17.2.System.exe.3c1ec90.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
15.2.System.exe.428fcc8.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.System.exe.428fcc8.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
15.2.System.exe.428fcc8.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
15.2.System.exe.428fcc8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
14.2.System.exe.48df958.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.System.exe.48df958.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
14.2.System.exe.48df958.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
14.2.System.exe.48df958.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
14.2.System.exe.4750342.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.System.exe.4750342.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
14.2.System.exe.4750342.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
15.2.System.exe.428fcc8.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.System.exe.4750342.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
15.2.System.exe.428fcc8.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
15.2.System.exe.428fcc8.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
15.2.System.exe.428fcc8.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
17.2.System.exe.3c1ec90.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.System.exe.3c1ec90.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
17.2.System.exe.3c1ec90.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
17.2.System.exe.3c1ec90.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3d4b028.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3d00370.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Click to see the 49 entries

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe", ParentImage: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ParentProcessId: 7324, ParentProcessName: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7540, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe", ParentImage: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ParentProcessId: 7324, ParentProcessName: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7540, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe", ParentImage: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ParentProcessId: 7324, ParentProcessName: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7540, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ProcessId: 7324, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroSoft

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe", ParentImage: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ParentProcessId: 7324, ParentProcessName: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7540, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, ProcessId: 7324, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroSoft

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe, ProcessId: 5644, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T16:16:10.454194+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.8	60969	104.245.240.123	2404	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T16:16:12.205415+0100	2803304	3	Unknown Traffic	192.168.2.8	60970	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Avira: detected

Antivirus detection for URL or domain

Source: code1.ydns.eu	Avira URL Cloud: Label: phishing
Source: wqo9.firewall-gateway.de	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Avira: detection malicious, Label: TR/Kryptik.dcdpj
Source: C:\Users\user\AppData\Local\Temp\install.vbs	Avira: detection malicious, Label: VBS/Runner.VPD

Found malware configuration

Source: 0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["rency.ydns.eu:2404:1", "wqo9.firewall-gateway.de:4045:1", "code1.ydns.eu:9302:1"], "Assigned name": "MN", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "System.exe", "Startup value": "MicroSoft", "Hide file": "Enable", "Mutex": "TCWd3hQ5LP1Fcm2U5B0fn3xuWp5u5rQsC2Y-JDRSXO", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "MicroSoft Outlook", "Keylog folder": "remcos", "Keylog file max size": "100"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Virustotal: Detection: 37%			Perma Link
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	ReversingLabs: Detection: 36%

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3315275019.00000000031AF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2597847753.0000000004750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2627000152.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2813689984.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1676780854.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3312959719.0000000001725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2702553502.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2846389748.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2597847753.00000000048DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2724347584.0000000003C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 2556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

10_2_004315EC

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_52621784-1

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: sic.pdb> source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1671058079.0000000000959000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	10_2_0041A01B
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	10_2_0040B28E
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_0040838E
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_004087A0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	10_2_00407848
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004068CD FindFirstFileW,FindNextFileW,	10_2_004068CD
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0044BA59 FindFirstFileExA,	10_2_0044BA59
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040AA71
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00417AAB
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040AC78

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

10_2_00406D28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.8:60969 -> 104.245.240.123:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rency.ydns.eu
Source: Malware configuration extractor	URLs: wqo9.firewall-gateway.de
Source: Malware configuration extractor	URLs: code1.ydns.eu

Source: global traffic

TCP traffic: 192.168.2.8:60969 -> 104.245.240.123:2404

Source: global traffic

TCP traffic: 192.168.2.8:60959 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:60970 -> 178.237.33.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

10_2_0041936B

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: rency.ydns.eu
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: System.exe, 00000015.00000002.3312959719.0000000001725000.00000004.00000020.00020000.00000000.sdmp, System.exe, 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp, Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1683309567.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, System.exe, 0000000E.00000002.2597847753.0000000004750000.00000004.00000800.00020000.00000000.sdmp, System.exe, 0000000E.00000002.2597847753.00000000048DF000.00000004.00000800.00020000.00000000.sdmp, System.exe, 0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000011.00000002.2724347584.0000000003C1E000.00000004.00000800.00020000.00000000.sdmp, System.exe, 00000014.00000002.2846389748.0000000004075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: System.exe, 00000015.00000002.3312959719.0000000001725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpF
Source: System.exe, 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpN
Source: System.exe, 00000015.00000002.3312959719.0000000001736000.00000004.00000020.00020000.00000000.sdmp, System.exe, 00000015.00000002.3312959719.0000000001725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpP
Source: System.exe, 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, System.exe.10.dr	String found in binary or memory: https://api.notificationservice.com/send
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, System.exe.10.dr	String found in binary or memory: https://api.watertracker.com/v1/dataASystem

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000

10_2_00409340

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

10_2_0040A65A

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

10_2_00414EC1

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

10_2_0040A65A

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

10_2_00409468

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3315275019.00000000031AF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2597847753.0000000004750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2627000152.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2813689984.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1676780854.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3312959719.0000000001725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2702553502.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2846389748.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2597847753.00000000048DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2724347584.0000000003C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 2556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_0041A76C SystemParametersInfoW,

10_2_0041A76C

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.2597847753.0000000004750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1683309567.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000014.00000002.2846389748.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.2597847753.00000000048DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.2724347584.0000000003C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 7324, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: System.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: System.exe PID: 7752, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: System.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: System.exe PID: 8180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 0_2_0D65EC38 CreateProcessAsUserW,

0_2_0D65EC38

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

10_2_00414DB4

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_00B5813D	0_2_00B5813D
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_00B5718F	0_2_00B5718F
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_00B51558	0_2_00B51558
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_00B57840	0_2_00B57840
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_00B51548	0_2_00B51548
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_04C4F6B0	0_2_04C4F6B0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_04C4CBD4	0_2_04C4CBD4
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_04C4F6A9	0_2_04C4F6A9
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D65C5D8	0_2_0D65C5D8
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D650EDA	0_2_0D650EDA
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D65F1B8	0_2_0D65F1B8
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D650040	0_2_0D650040
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D654800	0_2_0D654800
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D653B70	0_2_0D653B70
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D657B30	0_2_0D657B30
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D651DC8	0_2_0D651DC8
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D653400	0_2_0D653400
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D65D4F8	0_2_0D65D4F8
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D652F40	0_2_0D652F40
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D652F50	0_2_0D652F50
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D65B688	0_2_0D65B688
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D653188	0_2_0D653188
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D650006	0_2_0D650006
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D6528A8	0_2_0D6528A8
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D658B48	0_2_0D658B48
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D651BF1	0_2_0D651BF1
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D6533F1	0_2_0D6533F1
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D6553B0	0_2_0D6553B0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0D652B99	0_2_0D652B99
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB4C8C8	0_2_0DB4C8C8
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB413B0	0_2_0DB413B0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB4B090	0_2_0DB4B090
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB413A0	0_2_0DB413A0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB413AF	0_2_0DB413AF
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB82DA0	0_2_0DB82DA0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB81110	0_2_0DB81110
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB8F080	0_2_0DB8F080
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB828C8	0_2_0DB828C8
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB8E808	0_2_0DB8E808
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB8DBE8	0_2_0DB8DBE8
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB8F3D0	0_2_0DB8F3D0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB8CB51	0_2_0DB8CB51
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB8E7DA	0_2_0DB8E7DA
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB83EB0	0_2_0DB83EB0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB8110F	0_2_0DB8110F
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB810D9	0_2_0DB810D9
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB85388	0_2_0DB85388
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB85377	0_2_0DB85377
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DCF0040	0_2_0DCF0040
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DCF3200	0_2_0DCF3200
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DCF0023	0_2_0DCF0023
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00425152	10_2_00425152
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00435286	10_2_00435286
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004513D4	10_2_004513D4
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0045050B	10_2_0045050B
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00436510	10_2_00436510
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004316FB	10_2_004316FB
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0043569E	10_2_0043569E
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00443700	10_2_00443700
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004257FB	10_2_004257FB
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004128E3	10_2_004128E3
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00425964	10_2_00425964
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0041B917	10_2_0041B917
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0043D9CC	10_2_0043D9CC
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00435AD3	10_2_00435AD3
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00424BC3	10_2_00424BC3
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0043DBFB	10_2_0043DBFB
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0044ABA9	10_2_0044ABA9
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00433C0B	10_2_00433C0B
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00434D8A	10_2_00434D8A
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0043DE2A	10_2_0043DE2A
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0041CEAF	10_2_0041CEAF
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00435F08	10_2_00435F08
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0180813D	14_2_0180813D
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_018071A0	14_2_018071A0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0180F030	14_2_0180F030
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_01801558	14_2_01801558
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_01801548	14_2_01801548
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_03073200	14_2_03073200
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_03070006	14_2_03070006
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_03070040	14_2_03070040
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_05A0C9A4	14_2_05A0C9A4
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_05A0F668	14_2_05A0F668
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_05A0F678	14_2_05A0F678
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAEDCD8	14_2_0CAEDCD8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAECC40	14_2_0CAECC40
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAE0DC0	14_2_0CAE0DC0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAE2E50	14_2_0CAE2E50
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAEE8E8	14_2_0CAEE8E8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAE2978	14_2_0CAE2978
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAEF170	14_2_0CAEF170
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAEDCC8	14_2_0CAEDCC8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAECC31	14_2_0CAECC31
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAE5458	14_2_0CAE5458
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAE5457	14_2_0CAE5457
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAE0DB1	14_2_0CAE0DB1
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAE3F80	14_2_0CAE3F80
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAEE8C4	14_2_0CAEE8C4
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0CAEF160	14_2_0CAEF160
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE9B20	14_2_0FAE9B20
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAEF340	14_2_0FAEF340
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE0EE0	14_2_0FAE0EE0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAECA08	14_2_0FAECA08
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE1E00	14_2_0FAE1E00
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAEF648	14_2_0FAEF648
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE4580	14_2_0FAE4580
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE7CB8	14_2_0FAE7CB8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE0040	14_2_0FAE0040
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE3B80	14_2_0FAE3B80
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE43C9	14_2_0FAE43C9
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE43D8	14_2_0FAE43D8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE3F28	14_2_0FAE3F28
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE3F18	14_2_0FAE3F18
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE3B71	14_2_0FAE3B71
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE0EA8	14_2_0FAE0EA8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE2DA0	14_2_0FAE2DA0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE2D90	14_2_0FAE2D90
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAECDD0	14_2_0FAECDD0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE512F	14_2_0FAE512F
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAED538	14_2_0FAED538
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE5130	14_2_0FAE5130
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE4160	14_2_0FAE4160
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE4571	14_2_0FAE4571
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE4150	14_2_0FAE4150
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE7CA8	14_2_0FAE7CA8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE3880	14_2_0FAE3880
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE8CD0	14_2_0FAE8CD0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE0006	14_2_0FAE0006
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAEB810	14_2_0FAEB810
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_0FAE3870	14_2_0FAE3870
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_02A2813D	15_2_02A2813D
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_02A271A0	15_2_02A271A0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_02A21558	15_2_02A21558
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_02A21548	15_2_02A21548
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_053FD1BC	15_2_053FD1BC
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_053FF370	15_2_053FF370
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C5016E8	15_2_0C5016E8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C508844	15_2_0C508844
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C50B610	15_2_0C50B610
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C5016C0	15_2_0C5016C0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C51CC40	15_2_0C51CC40
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C51DCD8	15_2_0C51DCD8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C510DC0	15_2_0C510DC0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C512E50	15_2_0C512E50
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C51E8E8	15_2_0C51E8E8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C51F170	15_2_0C51F170
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C515458	15_2_0C515458
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C515447	15_2_0C515447
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C51CC31	15_2_0C51CC31
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C51DCC8	15_2_0C51DCC8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C51F4B0	15_2_0C51F4B0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C510D89	15_2_0C510D89
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C510DB1	15_2_0C510DB1
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C513F80	15_2_0C513F80
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C51E830	15_2_0C51E830
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C5198B0	15_2_0C5198B0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C512978	15_2_0C512978
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C51F160	15_2_0C51F160
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F507B30	15_2_0F507B30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F500EE0	15_2_0F500EE0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F50E990	15_2_0F50E990
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F509998	15_2_0F509998
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F50F1B8	15_2_0F50F1B8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F500040	15_2_0F500040
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F504800	15_2_0F504800
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F50F4C0	15_2_0F50F4C0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F508B48	15_2_0F508B48
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F503B00	15_2_0F503B00
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F507B20	15_2_0F507B20
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F5043D0	15_2_0F5043D0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F5047F1	15_2_0F5047F1
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F5043E0	15_2_0F5043E0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F50CFE8	15_2_0F50CFE8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F5053B0	15_2_0F5053B0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F5053A1	15_2_0F5053A1
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F504658	15_2_0F504658
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F504649	15_2_0F504649
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F503E00	15_2_0F503E00
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F503AF0	15_2_0F503AF0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F500E94	15_2_0F500E94
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F50B688	15_2_0F50B688
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F500EA4	15_2_0F500EA4
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F503DF1	15_2_0F503DF1
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F504198	15_2_0F504198
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F5041A8	15_2_0F5041A8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F502C08	15_2_0F502C08
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F50002F	15_2_0F50002F
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F5020C9	15_2_0F5020C9
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0F50C880	15_2_0F50C880
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_13E10040	15_2_13E10040
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_13E13200	15_2_13E13200
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_13E10007	15_2_13E10007
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_008E813D	17_2_008E813D
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_008E718F	17_2_008E718F
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_008E1558	17_2_008E1558
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_008E7840	17_2_008E7840
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_008E1548	17_2_008E1548
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_023B3200	17_2_023B3200
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_023B0006	17_2_023B0006
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_023B0040	17_2_023B0040
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_04E9D1C4	17_2_04E9D1C4
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_04E9F380	17_2_04E9F380
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_04E9F370	17_2_04E9F370
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF616E8	17_2_0BF616E8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF68844	17_2_0BF68844
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF616C0	17_2_0BF616C0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF6B610	17_2_0BF6B610
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF7F170	17_2_0BF7F170
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF72978	17_2_0BF72978
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF7E8E8	17_2_0BF7E8E8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF72E50	17_2_0BF72E50
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF70DC0	17_2_0BF70DC0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF7DCD8	17_2_0BF7DCD8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF7CC40	17_2_0BF7CC40
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF7F160	17_2_0BF7F160
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF7E830	17_2_0BF7E830
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF73F80	17_2_0BF73F80
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF70DB8	17_2_0BF70DB8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF7DCC8	17_2_0BF7DCC8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF75458	17_2_0BF75458
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF75447	17_2_0BF75447
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF7CC31	17_2_0BF7CC31
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D634580	17_2_0D634580
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D630040	17_2_0D630040
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D63A030	17_2_0D63A030
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D637CB8	17_2_0D637CB8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D63F340	17_2_0D63F340
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D639728	17_2_0D639728
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D633B30	17_2_0D633B30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D63F648	17_2_0D63F648
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D630EE0	17_2_0D630EE0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D632D68	17_2_0D632D68
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D632D59	17_2_0D632D59
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D63BD20	17_2_0D63BD20
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D635130	17_2_0D635130
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D633110	17_2_0D633110
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D6335C0	17_2_0D6335C0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D6335B0	17_2_0D6335B0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D63003E	17_2_0D63003E
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D63001D	17_2_0D63001D
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D638CD0	17_2_0D638CD0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D633348	17_2_0D633348
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D63333A	17_2_0D63333A
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D632A68	17_2_0D632A68
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D630E01	17_2_0D630E01
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D631E08	17_2_0D631E08
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D631E18	17_2_0D631E18
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0D63D680	17_2_0D63D680
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_02E6718F	20_2_02E6718F
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_02E61558	20_2_02E61558
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_02E67840	20_2_02E67840
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_02E61548	20_2_02E61548
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C12C320	20_2_0C12C320
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C12B090	20_2_0C12B090
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C1213B0	20_2_0C1213B0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C1213A0	20_2_0C1213A0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C91F083	20_2_0C91F083
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C91E808	20_2_0C91E808
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C911110	20_2_0C911110
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C91F3DB	20_2_0C91F3DB
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C91DBF1	20_2_0C91DBF1
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C91CB51	20_2_0C91CB51
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C913EB0	20_2_0C913EB0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C9128C8	20_2_0C9128C8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C91E804	20_2_0C91E804
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C91DBE9	20_2_0C91DBE9
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C911103	20_2_0C911103
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C915387	20_2_0C915387
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C915388	20_2_0C915388
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B0ED3	20_2_0E1B0ED3
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B3B30	20_2_0E1B3B30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B7B30	20_2_0E1B7B30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B4800	20_2_0E1B4800
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B0040	20_2_0E1B0040
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1BE990	20_2_0E1BE990
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1BF1B8	20_2_0E1BF1B8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1BB688	20_2_0E1BB688
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B8B39	20_2_0E1B8B39
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B7B20	20_2_0E1B7B20
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B2F50	20_2_0E1B2F50
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B8B48	20_2_0E1B8B48
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B2F4E	20_2_0E1B2F4E
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B2B99	20_2_0E1B2B99
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B53B0	20_2_0E1B53B0
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B53AF	20_2_0E1B53AF
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B47FE	20_2_0E1B47FE
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B33F1	20_2_0E1B33F1
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1BCFE8	20_2_0E1BCFE8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B3400	20_2_0E1B3400
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B0006	20_2_0E1B0006
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B003B	20_2_0E1B003B
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B2899	20_2_0E1B2899
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1BC880	20_2_0E1BC880
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B28A8	20_2_0E1B28A8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B3179	20_2_0E1B3179
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B3188	20_2_0E1B3188
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B1DB8	20_2_0E1B1DB8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E1B1DC8	20_2_0E1B1DC8
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E2B3438	20_2_0E2B3438
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E2B0006	20_2_0E2B0006
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0E2B0040	20_2_0E2B0040

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: String function: 00432525 appears 41 times

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFalimotin.dll4 vs Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1683309567.0000000003D00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFalimotin.dll4 vs Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1689601485.000000000D590000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll6 vs Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000000.844200215.000000000030A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHIT.exeP vs Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1687574109.000000000B3E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFalimotin.dll4 vs Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1671058079.000000000091E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 0000000A.00000002.1676780854.0000000001191000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 0000000A.00000002.1676780854.0000000001191000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Binary or memory string: OriginalFilenameHIT.exeP vs Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.2597847753.0000000004750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1683309567.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000014.00000002.2846389748.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.2597847753.00000000048DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.2724347584.0000000003C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 7324, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: System.exe PID: 7704, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: System.exe PID: 7752, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: System.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: System.exe PID: 8180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: System.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, m4W5Hc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: System.exe.10.dr, m4W5Hc.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@23/7@3/2

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

10_2_00415C90

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

10_2_0040E2E7

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,

10_2_00419493

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

10_2_00418A00

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Mutant created: \Sessions\1\BaseNamedObjects\TCWd3hQ5LP1Fcm2U5B0fn3xuWp5u5rQsC2Y-JDRSXO
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

File created: C:\Users\user\AppData\Local\Temp\install.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Virustotal: Detection: 37%
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

File read: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe"
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process created: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe"
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process created: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: kernel.appcore.dll

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Static file information: File size 1164288 > 1048576

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11bc00

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: sic.pdb> source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1671058079.0000000000959000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.b3e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3d00370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.b3e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3d4b028.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3d4b028.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3d00370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2629172496.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2581814968.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1687574109.000000000B3E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1672183431.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2705898459.0000000002543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2816798550.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 8180, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, a1L5W.cs	.Net Code: NewLateBinding.LateCall(q9NKs, (Type)null, "Invoke", new object[2]{null,Fb38Wp.b2K5Ck()}, (string[])null, (Type[])null, (bool[])null, true)
Source: System.exe.10.dr, a1L5W.cs	.Net Code: NewLateBinding.LateCall(q9NKs, (Type)null, "Invoke", new object[2]{null,Fb38Wp.b2K5Ck()}, (string[])null, (Type[])null, (bool[])null, true)

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

10_2_0041A8DA

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_04C45250 push ss; ret	0_2_04C4525E
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB46300 pushfd ; ret	0_2_0DB46301
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DB88D21 pushad ; ret	0_2_0DB88D33
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DCF0BCF push es; iretd	0_2_0DCF0BD6
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 0_2_0DCF0BAF push es; iretd	0_2_0DCF0BBA
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004000D8 push es; iretd	10_2_004000D9
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0040008C push es; iretd	10_2_0040008D
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004542E6 push ecx; ret	10_2_004542F9
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0045B4FD push esi; ret	10_2_0045B506
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00432BD6 push ecx; ret	10_2_00432BE9
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00454C08 push eax; ret	10_2_00454C26
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 14_2_05A0C2B1 push esp; retf	14_2_05A0C2BD
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 15_2_0C506480 pushfd ; ret	15_2_0C506481
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF66480 pushfd ; ret	17_2_0BF66481
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF7A952 push 0000000Bh; ret	17_2_0BF7A960
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 17_2_0BF78E01 pushad ; ret	17_2_0BF78E13
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C126300 pushfd ; ret	20_2_0C126301
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Code function: 20_2_0C918D2B pushad ; ret	20_2_0C918D33

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, Xy47B.cs	High entropy of concatenated method names: 'x8GHk', 'MoveNext', 'Zm38X', 'SetStateMachine', 'a4MFg', 'm6CZr', 'Rs6n8', 's9CKc', 'g8Q2E', 'Tk52E'
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, o3GKi1.cs	High entropy of concatenated method names: 'Tb27Zi', 'Mw36Em', 'Zn4k1L', 'n3BAr0', 'c9J7Xz', 'Zi26Ls', 'Zn58Dg', 'Xs2r1A', 'g9K8Ef', 'x4C5Jq'
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, Fb38Wp.cs	High entropy of concatenated method names: 'Ag92Mn', 's7PYt9', 'Ce28Pb', 's6R7Xm', 'x5TSb9', 'c7N0Db', 'Tf26Nn', 'e4NZo9', 'Mi6f8B', 'Sm09Lo'
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, m4W5Hc.cs	High entropy of concatenated method names: 'j3D2Z', 'Sj60F', 'o2MZn', 'Ze3t6', 'Lr37C', 'Kn23P', 'i4WPm', 'r3S7Y', 'Eo9q3', 'Cf29E'
Source: System.exe.10.dr, Xy47B.cs	High entropy of concatenated method names: 'x8GHk', 'MoveNext', 'Zm38X', 'SetStateMachine', 'a4MFg', 'm6CZr', 'Rs6n8', 's9CKc', 'g8Q2E', 'Tk52E'
Source: System.exe.10.dr, o3GKi1.cs	High entropy of concatenated method names: 'Tb27Zi', 'Mw36Em', 'Zn4k1L', 'n3BAr0', 'c9J7Xz', 'Zi26Ls', 'Zn58Dg', 'Xs2r1A', 'g9K8Ef', 'x4C5Jq'
Source: System.exe.10.dr, Fb38Wp.cs	High entropy of concatenated method names: 'Ag92Mn', 's7PYt9', 'Ce28Pb', 's6R7Xm', 'x5TSb9', 'c7N0Db', 'Tf26Nn', 'e4NZo9', 'Mi6f8B', 'Sm09Lo'
Source: System.exe.10.dr, m4W5Hc.cs	High entropy of concatenated method names: 'j3D2Z', 'Sj60F', 'o2MZn', 'Ze3t6', 'Lr37C', 'Kn23P', 'i4WPm', 'r3S7Y', 'Eo9q3', 'Cf29E'

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_004063C6 ShellExecuteW,URLDownloadToFileW,

10_2_004063C6

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	File created: \presupuesto - n#u00ba 270 - 0020250314-0000945.com.exe
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	File created: \presupuesto - n#u00ba 270 - 0020250314-0000945.com.exe
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	File created: \presupuesto - n#u00ba 270 - 0020250314-0000945.com.exe	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	File created: \presupuesto - n#u00ba 270 - 0020250314-0000945.com.exe	Jump to behavior

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

File created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

10_2_00418A00

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicroSoft	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicroSoft	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run MicroSoft	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run MicroSoft	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	File opened: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	File opened: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	File opened: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	File opened: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	File opened: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe\:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

10_2_0041A8DA

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 8180, type: MEMORYSTR

Delayed program exit found

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_0040E18D Sleep,ExitProcess,

10_2_0040E18D

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Section loaded: OutputDebugStringW count: 2898
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Section loaded: OutputDebugStringW count: 385

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: 2500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: E0B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: F0B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: F440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: 10440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: 10C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: 11C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory allocated: 12C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 17E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: E750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: F750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: FAF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 10AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 111F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 121F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 131F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 4BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: E170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: F170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: F510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 10510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 10C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 11C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 12C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 8E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 2330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: DCB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: ECB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: F040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 10040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 10750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 11750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 12750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 2E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 4E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: E630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: F630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: F9C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 109C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: F9C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory allocated: 111D0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe

Code function: 14_2_0FAE75D5 sldt word ptr [eax]

14_2_0FAE75D5

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

10_2_004186FE

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Window / User API: threadDelayed 9084	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Window / User API: threadDelayed 737	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Window / User API: threadDelayed 7156	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Window / User API: threadDelayed 2379	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Window / User API: threadDelayed 9606	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Window / User API: threadDelayed 9660	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Window / User API: threadDelayed 3599
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Window / User API: threadDelayed 6242
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Window / User API: threadDelayed 5142
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Window / User API: threadDelayed 4361
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Window / User API: foregroundWindowGot 1764

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Evaded block: after key decision			graph_10-46465
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Evaded block: after key decision			graph_10-46370

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

API coverage: 5.5 %

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe TID: 5760	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe TID: 5760	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 8120	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 8120	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 1840	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 1840	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 1840	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 2412	Thread sleep count: 9606 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 1492	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 1492	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 1492	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 1464	Thread sleep count: 9660 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 5960	Thread sleep count: 161 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 3236	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 3236	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 3236	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 3264	Thread sleep count: 3599 > 30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 3264	Thread sleep count: 6242 > 30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 1440	Thread sleep count: 240 > 30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 1440	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 3788	Thread sleep count: 5142 > 30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 3788	Thread sleep time: -15426000s >= -30000s
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 3788	Thread sleep count: 4361 > 30
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe TID: 3788	Thread sleep time: -13083000s >= -30000s

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	10_2_0041A01B
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	10_2_0040B28E
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_0040838E
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_004087A0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	10_2_00407848
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004068CD FindFirstFileW,FindNextFileW,	10_2_004068CD
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0044BA59 FindFirstFileExA,	10_2_0044BA59
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040AA71
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00417AAB
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040AC78

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

10_2_00406D28

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Thread delayed: delay time: 30000

Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1687574109.000000000B3E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: wscript.exe, 0000000B.00000003.1696047099.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp, Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1683309567.0000000003D00000.00000004.00000800.00020000.00000000.sdmp, Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe, 00000000.00000002.1687574109.000000000B3E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTrayoH
Source: System.exe, 00000015.00000002.3312959719.0000000001757000.00000004.00000020.00020000.00000000.sdmp, System.exe, 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 0_2_04C420F4 CheckRemoteDebuggerPresent,

0_2_04C420F4

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_004327AE

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

10_2_0041A8DA

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_004407B5 mov eax, dword ptr fs:[00000030h]

10_2_004407B5

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

10_2_00410763

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004327AE
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004328FC SetUnhandledExceptionFilter,	10_2_004328FC
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004398AC
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: 10_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00432D5C

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Memory written: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory written: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory written: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory written: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory written: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe base: 540000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Memory written: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

10_2_00410B5C

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_004175E1 mouse_event,

10_2_004175E1

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process created: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe "C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Process created: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe "C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe"

Source: System.exe, 00000015.00000002.3312959719.0000000001736000.00000004.00000020.00020000.00000000.sdmp, System.exe, 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: System.exe, 00000015.00000002.3312959719.0000000001736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerEM
Source: System.exe, 00000015.00000002.3312959719.0000000001736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managernet/V
Source: System.exe, 00000015.00000002.3312959719.0000000001736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: System.exe, 00000015.00000002.3312959719.0000000001736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers
Source: System.exe, 00000015.00000002.3312959719.0000000001736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: System.exe, 00000015.00000002.3312959719.0000000001736000.00000004.00000020.00020000.00000000.sdmp, System.exe, 00000015.00000002.3312959719.0000000001725000.00000004.00000020.00020000.00000000.sdmp, System.exe, 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: System.exe, 00000015.00000002.3312959719.0000000001736000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managery
Source: System.exe, 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, logs.dat.21.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_004329DA cpuid

10_2_004329DA

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: EnumSystemLocalesW,	10_2_0044F17B
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: EnumSystemLocalesW,	10_2_0044F130
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: EnumSystemLocalesW,	10_2_0044F216
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0044F2A3
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: GetLocaleInfoA,	10_2_0040E2BB
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: GetLocaleInfoW,	10_2_0044F4F3
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_0044F61C
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: GetLocaleInfoW,	10_2_0044F723
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0044F7F0
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: EnumSystemLocalesW,	10_2_00445914
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: GetLocaleInfoW,	10_2_00445E1C
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_0044EEB8

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Queries volume information: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MicroSoft Outlook\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_0040A0B0 GetLocalTime,wsprintfW,

10_2_0040A0B0

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_004195F8 GetUserNameW,

10_2_004195F8

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: 10_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

10_2_004466BF

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3315275019.00000000031AF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2597847753.0000000004750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2627000152.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2813689984.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1676780854.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3312959719.0000000001725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2702553502.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2846389748.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2597847753.00000000048DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2724347584.0000000003C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 2556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

10_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		10_2_0040AA71
Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe	Code function: \key3.db		10_2_0040AA71

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.48df958.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.3c40330.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.4750342.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.System.exe.3c1ec90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.System.exe.428fcc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.48df958.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.System.exe.4750342.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.System.exe.428fcc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.System.exe.3c1ec90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.3315275019.00000000031AF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2597847753.0000000004750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2627000152.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2651565527.000000000428F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2813689984.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1683309567.0000000003BF5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1676780854.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3312959719.0000000001725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1675565010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2702553502.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2846389748.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2597847753.00000000048DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3312959719.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2724347584.0000000003C1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe PID: 7324, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 2556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: System.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\user\Desktop\Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Code function: cmd.exe

10_2_0040567A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	1 Valid Accounts	2 Native API	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Valid Accounts	11 Access Token Manipulation	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	1 Windows Service	11 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	122 Process Injection	1 DLL Side-Loading	LSA Secrets	33 System Information Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	231 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	151 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	151 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	122 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Presupuesto - N#U00ba 270 - 0020250314-0000945.com.exe