Loading ...

Play interactive tourEdit tour

Analysis Report Documento de env#U00edo.exe

Overview

General Information

Sample Name:Documento de env#U00edo.exe
Analysis ID:255465
MD5:056e6acf893464db30dae11eaf6695dc
SHA1:1d834085eb5beb39c5507bc1ff8269af05b6d7d7
SHA256:514c7f4384728fe67e4073654dcb51db0b07c8bb3bdb47c08779f4e8cec01f8a

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • Documento de env#U00edo.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\Documento de env#U00edo.exe' MD5: 056E6ACF893464DB30DAE11EAF6695DC)
    • schtasks.exe (PID: 5700 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpA035.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "9231R", "URL: ": "https://9CqZznKRsR4.org", "To: ": "advisor@pierreinsurancebrokers.com", "ByHost: ": "mail.pierreinsurancebrokers.com:587", "Password: ": "=0AoVPRFC8", "From: ": "advisor@pierreinsurancebrokers.com"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Documento de env#U00edo.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7971f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\&startupname&.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7971f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.243137696.0000000000FF2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7951f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000B.00000000.287917393.00000000006B2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7951f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000002.288777262.0000000000FF2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7951f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000002.290414920.000000000440E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.511051128.00000000006B2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x7951f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    Click to see the 9 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    11.2.Documento de env#U00edo.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      11.2.Documento de env#U00edo.exe.6b0000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x7971f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      0.0.Documento de env#U00edo.exe.ff0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x7971f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      11.0.Documento de env#U00edo.exe.6b0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x7971f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
      0.2.Documento de env#U00edo.exe.ff0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
      • 0x7971f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpA035.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpA035.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Documento de env#U00edo.exe' , ParentImage: C:\Users\user\Desktop\Documento de env#U00edo.exe, ParentProcessId: 6916, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpA035.tmp', ProcessId: 5700

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: Documento de env#U00edo.exe.5908.11.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "9231R", "URL: ": "https://9CqZznKRsR4.org", "To: ": "advisor@pierreinsurancebrokers.com", "ByHost: ": "mail.pierreinsurancebrokers.com:587", "Password: ": "=0AoVPRFC8", "From: ": "advisor@pierreinsurancebrokers.com"}
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\&startupname&.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Documento de env#U00edo.exeJoe Sandbox ML: detected
      Source: global trafficTCP traffic: 192.168.2.3:49735 -> 116.202.175.242:587
      Source: global trafficTCP traffic: 192.168.2.3:49735 -> 116.202.175.242:587
      Source: unknownDNS traffic detected: queries for: g.msn.com
      Source: Documento de env#U00edo.exe, 0000000B.00000002.512661751.0000000000E56000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: Documento de env#U00edo.exe, 0000000B.00000002.512661751.0000000000E56000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0C
      Source: Documento de env#U00edo.exe, 0000000B.00000002.512661751.0000000000E56000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: Documento de env#U00edo.exe, 0000000B.00000002.512661751.0000000000E56000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: Documento de env#U00edo.exe, 0000000B.00000002.512661751.0000000000E56000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Documento de env#U00edo.exe, 0000000B.00000002.512661751.0000000000E56000.00000004.00000020.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
      Source: Documento de env#U00edo.exe, 0000000B.00000002.514146799.0000000002BA8000.00000004.00000001.sdmpString found in binary or memory: http://mail.pierreinsurancebrokers.com
      Source: Documento de env#U00edo.exe, 0000000B.00000002.512661751.0000000000E56000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
      Source: Documento de env#U00edo.exe, 0000000B.00000002.514146799.0000000002BA8000.00000004.00000001.sdmpString found in binary or memory: http://pierreinsurancebrokers.com
      Source: Documento de env#U00edo.exe, 00000000.00000002.302082882.0000000009AE8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: Documento de env#U00edo.exe, 00000000.00000002.295493617.0000000007472000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Documento de env#U00edo.exe, 0000000B.00000002.513549627.0000000002A88000.00000004.00000001.sdmpString found in binary or memory: https://9CqZznKRsR4.org

      System Summary:

      barindex
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Documento de env#U00edo.exe
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_00FF22DB0_2_00FF22DB
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_0199C9E40_2_0199C9E4
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_0199EDB00_2_0199EDB0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_0199EDA00_2_0199EDA0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F1F5600_2_07F1F560
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F115000_2_07F11500
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F132600_2_07F13260
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F140C00_2_07F140C0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F120700_2_07F12070
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F100400_2_07F10040
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F1CF080_2_07F1CF08
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F19CE00_2_07F19CE0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F1B9000_2_07F1B900
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F128F00_2_07F128F0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F166780_2_07F16678
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F166680_2_07F16668
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F1A5E00_2_07F1A5E0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F114EF0_2_07F114EF
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F163E80_2_07F163E8
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F1D3D80_2_07F1D3D8
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F163DB0_2_07F163DB
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F173780_2_07F17378
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F173120_2_07F17312
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F132510_2_07F13251
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F162000_2_07F16200
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F161F00_2_07F161F0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F120630_2_07F12063
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F120290_2_07F12029
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F1001D0_2_07F1001D
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F13FE90_2_07F13FE9
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F14FD00_2_07F14FD0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F14FC90_2_07F14FC9
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F1AC900_2_07F1AC90
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F15BB80_2_07F15BB8
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F15BA80_2_07F15BA8
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F128E10_2_07F128E1
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F1D8B00_2_07F1D8B0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F168900_2_07F16890
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F168800_2_07F16880
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_105000400_2_10500040
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_105020E10_2_105020E1
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_105000060_2_10500006
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_1050003B0_2_1050003B
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_006B22DB11_2_006B22DB
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_0289FB3011_2_0289FB30
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_0289FB2011_2_0289FB20
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F2004011_2_04F20040
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F2827011_2_04F28270
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F22F6011_2_04F22F60
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F273F811_2_04F273F8
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F23C2811_2_04F23C28
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F2405011_2_04F24050
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F2000611_2_04F20006
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F2826011_2_04F28260
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F22F5011_2_04F22F50
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F277BC11_2_04F277BC
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F273E911_2_04F273E9
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F2783411_2_04F27834
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E96F811_2_061E96F8
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E321011_2_061E3210
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E637811_2_061E6378
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E004011_2_061E0040
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E9A9811_2_061E9A98
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061EBA8811_2_061EBA88
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E0BE811_2_061E0BE8
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061EA9B011_2_061EA9B0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E29C011_2_061E29C0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E063811_2_061E0638
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E062A11_2_061E062A
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E96EA11_2_061E96EA
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E859211_2_061E8592
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E85A011_2_061E85A0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E320111_2_061E3201
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E227111_2_061E2271
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E228011_2_061E2280
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E92B911_2_061E92B9
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E92C811_2_061E92C8
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061EC39811_2_061EC398
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E001E11_2_061E001E
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E9E1111_2_061E9E11
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E4F6811_2_061E4F68
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E8C1811_2_061E8C18
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E8C0811_2_061E8C08
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E9A8811_2_061E9A88
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E0BDA11_2_061E0BDA
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E29B011_2_061E29B0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061EA9A011_2_061EA9A0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_062299D811_2_062299D8
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_0622499811_2_06224998
      Source: Documento de env#U00edo.exeBinary or memory string: OriginalFilename vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 00000000.00000002.298386882.0000000007E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 00000000.00000002.302729943.0000000010320000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 00000000.00000002.302729943.0000000010320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 00000000.00000002.290414920.000000000440E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameykFUEsZAxdgBZgxIVAhyqAhMvVAbpImJuwmUtl.exe4 vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 00000000.00000002.290127176.0000000003351000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 00000000.00000002.302577896.0000000010220000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exeBinary or memory string: OriginalFilename vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 0000000B.00000002.517512658.0000000005AE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 0000000B.00000002.517874578.0000000006110000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 0000000B.00000002.511366459.0000000000AF7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 0000000B.00000002.510989156.0000000000448000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameykFUEsZAxdgBZgxIVAhyqAhMvVAbpImJuwmUtl.exe4 vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 0000000B.00000002.517959280.0000000006190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, 0000000B.00000002.517980644.00000000061A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exeBinary or memory string: OriginalFilenameAEcRH.exe< vs Documento de env#U00edo.exe
      Source: Documento de env#U00edo.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000000.243137696.0000000000FF2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0000000B.00000000.287917393.00000000006B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.288777262.0000000000FF2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0000000B.00000002.511051128.00000000006B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: Documento de env#U00edo.exe PID: 6916, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: Documento de env#U00edo.exe PID: 5908, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: C:\Users\user\AppData\Local\Temp\&startupname&.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 11.2.Documento de env#U00edo.exe.6b0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.0.Documento de env#U00edo.exe.ff0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 11.0.Documento de env#U00edo.exe.6b0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.2.Documento de env#U00edo.exe.ff0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Documento de env#U00edo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: &startupname&.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 11.2.Documento de env#U00edo.exe.400000.0.unpack, cvn.csCryptographic APIs: 'TransformFinalBlock'
      Source: 11.2.Documento de env#U00edo.exe.400000.0.unpack, cvn.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@4/2
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Documento de env#U00edo.exe.logJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_01
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to behavior
      Source: Documento de env#U00edo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile read: C:\Users\user\Desktop\Documento de env#U00edo.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Documento de env#U00edo.exe 'C:\Users\user\Desktop\Documento de env#U00edo.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpA035.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\Documento de env#U00edo.exe {path}
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpA035.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess created: C:\Users\user\Desktop\Documento de env#U00edo.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
      Source: Documento de env#U00edo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Documento de env#U00edo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_00FF7E8C push es; ret 0_2_00FF80A0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F17DDA push edi; ret 0_2_07F17DED
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F12D5D push esi; iretd 0_2_07F12D5E
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_105045FD push FFFFFF8Bh; iretd 0_2_105045FF
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_10500FA4 push edi; iretd 0_2_10500FA5
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_10500FAE push edi; iretd 0_2_10500FAF
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_006B7E8C push es; ret 11_2_006B80A0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_04F21C67 push ebx; iretd 11_2_04F21C7A
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061ECFF4 push ecx; iretd 11_2_061ECFF9
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061ECD21 push 696609B4h; ret 11_2_061ECD29
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E3DE3 push 8BA44589h; retf 11_2_061E3DF6
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85584808067
      Source: initial sampleStatic PE information: section name: .text entropy: 7.85584808067
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpA035.tmp'
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: Documento de env#U00edo.exe PID: 6916, type: MEMORY
      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeWindow / User API: threadDelayed 372Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 6920Thread sleep time: -41000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 6944Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 4424Thread sleep count: 222 > 30Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 4424Thread sleep count: 372 > 30Jump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -89250s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -59312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -58406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -87282s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -58000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -57312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -56906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -85032s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -83391s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -55094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -82359s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -54688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -54500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -54188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -80718s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -80391s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -52906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -52688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -78750s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -51594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -77109s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -76782s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -50500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -75141s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -49406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -49188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -73500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -48812s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -48094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -47906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -71532s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -47000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -46812s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -69891s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -45688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -68250s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -45312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -44594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -43500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -43312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -64641s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -42406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -42188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -63000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -61032s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -40406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -40188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -40000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -39812s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -39594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -39094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -38312s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -57000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -56391s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -35906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -32812s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -32594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -32406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -30406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -30188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -58906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -58688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -57594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -56500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -55968s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -55406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -53406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -53188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -52094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -51000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -49688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -48594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -48406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -47500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -46406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -45094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -44906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -44406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -44000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -42906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -42688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -41594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -38906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -38688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -37406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -37188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -36688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -36500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -35594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -35406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -35188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -34500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -34094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -33406s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -33188s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -33000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -32094s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -31906s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -31688s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -31000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exe TID: 3760Thread sleep time: -30594s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeLast function: Thread delayed
      Source: Documento de env#U00edo.exe, 0000000B.00000002.517512658.0000000005AE0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Documento de env#U00edo.exe, 0000000B.00000002.517512658.0000000005AE0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Documento de env#U00edo.exe, 0000000B.00000002.517512658.0000000005AE0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: Documento de env#U00edo.exe, 00000000.00000002.302120096.0000000009B30000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: Documento de env#U00edo.exe, 0000000B.00000002.518260334.0000000006270000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: Documento de env#U00edo.exe, 0000000B.00000002.517512658.0000000005AE0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 0_2_07F112C0 CheckRemoteDebuggerPresent,0_2_07F112C0
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeCode function: 11_2_061E3210 LdrInitializeThunk,11_2_061E3210
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeMemory written: C:\Users\user\Desktop\Documento de env#U00edo.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\Documento de env#U00edo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpA035.tmp'