Loading ...

Play interactive tourEdit tour

Analysis Report cotizaci#U00f3n.PDF.bat

Overview

General Information

Sample Name:cotizaci#U00f3n.PDF.bat (renamed file extension from bat to exe)
Analysis ID:299588
MD5:6bf6e6b8ddc7518e1c6d4578e42009a7
SHA1:00d483ac07d85e89f9b367147a3f222180b04686
SHA256:3d720b8602bbd7f3ae96869336ab23aa357180499b278df6631cb5d5ce645130
Tags:AgentTeslabat

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AntiVM_3
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cotizaci#U00f3n.PDF.exe (PID: 3068 cmdline: 'C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe' MD5: 6BF6E6B8DDC7518E1C6D4578E42009A7)
    • cotizaci#U00f3n.PDF.exe (PID: 4696 cmdline: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe MD5: 6BF6E6B8DDC7518E1C6D4578E42009A7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "24xXr21JTlmxDa", "URL: ": "http://BkQyH6HxSXauoe.com", "To: ": "droid@soin3.com", "ByHost: ": "mail.soin3.com:587", "Password: ": "M5xnJ", "From: ": "droid@soin3.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.331838236.00000000033B1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000002.595270003.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.331899274.00000000033D8000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000001.00000002.598988023.00000000033C2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.598541150.0000000003311000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.cotizaci#U00f3n.PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Suspicious Double ExtensionShow sources
              Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe, CommandLine: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe, NewProcessName: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe, OriginalFileName: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe' , ParentImage: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe, ParentProcessId: 3068, ProcessCommandLine: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe, ProcessId: 4696

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: cotizaci#U00f3n.PDF.exe.4696.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "24xXr21JTlmxDa", "URL: ": "http://BkQyH6HxSXauoe.com", "To: ": "droid@soin3.com", "ByHost: ": "mail.soin3.com:587", "Password: ": "M5xnJ", "From: ": "droid@soin3.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: cotizaci#U00f3n.PDF.exeVirustotal: Detection: 25%Perma Link
              Source: cotizaci#U00f3n.PDF.exeReversingLabs: Detection: 44%
              Machine Learning detection for sampleShow sources
              Source: cotizaci#U00f3n.PDF.exeJoe Sandbox ML: detected
              Source: 1.2.cotizaci#U00f3n.PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: global trafficTCP traffic: 192.168.2.6:49755 -> 162.241.2.113:587
              Source: Joe Sandbox ViewIP Address: 162.241.2.113 162.241.2.113
              Source: Joe Sandbox ViewASN Name: OIS1US OIS1US
              Source: global trafficTCP traffic: 192.168.2.6:49755 -> 162.241.2.113:587
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_00FDA09A recv,1_2_00FDA09A
              Source: unknownDNS traffic detected: queries for: mail.soin3.com
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.598541150.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.598988023.00000000033C2000.00000004.00000001.sdmp, cotizaci#U00f3n.PDF.exe, 00000001.00000002.599584189.00000000034C7000.00000004.00000001.sdmp, cotizaci#U00f3n.PDF.exe, 00000001.00000002.599186340.0000000003419000.00000004.00000001.sdmpString found in binary or memory: http://BkQyH6HxSXauoe.com
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.598988023.00000000033C2000.00000004.00000001.sdmpString found in binary or memory: http://BkQyH6HxSXauoe.comx#
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.598541150.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.598541150.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://MKLuVQ.com
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600789959.00000000062C4000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600789959.00000000062C4000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600789959.00000000062C4000.00000004.00000001.sdmpString found in binary or memory: http://cps.letse
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600789959.00000000062C4000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600789959.00000000062C4000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600789959.00000000062C4000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600789959.00000000062C4000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600789959.00000000062C4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.598541150.0000000003311000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.332667962.00000000043B1000.00000004.00000001.sdmp, cotizaci#U00f3n.PDF.exe, 00000001.00000002.595270003.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.598541150.0000000003311000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.332667962.00000000043B1000.00000004.00000001.sdmp, cotizaci#U00f3n.PDF.exe, 00000001.00000002.595270003.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.598541150.0000000003311000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.330451338.00000000011F8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: cotizaci#U00f3n.PDF.exe
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_00FDB0BA NtQuerySystemInformation,1_2_00FDB0BA
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_00FDB089 NtQuerySystemInformation,1_2_00FDB089
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 0_2_015325E80_2_015325E8
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 0_2_015337DE0_2_015337DE
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 0_2_015325D90_2_015325D9
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 0_2_01537A760_2_01537A76
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 0_2_01534AB00_2_01534AB0
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 0_2_01534AA00_2_01534AA0
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 0_2_05580AE90_2_05580AE9
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 0_2_055800700_2_05580070
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 0_2_055800060_2_05580006
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_02D6D0381_2_02D6D038
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_02D6B3B81_2_02D6B3B8
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_060AB0501_2_060AB050
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_060A55501_2_060A5550
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_060A04DB1_2_060A04DB
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_060A92F81_2_060A92F8
              Source: cotizaci#U00f3n.PDF.exeBinary or memory string: OriginalFilename vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.331838236.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZFcHWYUDWxcluqydDlvIkjkN.exe4 vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.330451338.00000000011F8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.331899274.00000000033D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.334024407.0000000005770000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.329907826.0000000000A12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOscw.exe6 vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.330831299.0000000002F90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exeBinary or memory string: OriginalFilename vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000000.329348352.0000000000992000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOscw.exe6 vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600238796.0000000005900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.595270003.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZFcHWYUDWxcluqydDlvIkjkN.exe4 vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.596609943.0000000001320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.596524498.0000000001230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.596597200.0000000001310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.599838235.0000000005460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.596342265.000000000113A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs cotizaci#U00f3n.PDF.exe
              Source: cotizaci#U00f3n.PDF.exeBinary or memory string: OriginalFilenameOscw.exe6 vs cotizaci#U00f3n.PDF.exe
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeSection loaded: security.dllJump to behavior
              Source: cotizaci#U00f3n.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_00FDAF3E AdjustTokenPrivileges,1_2_00FDAF3E
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_00FDAF07 AdjustTokenPrivileges,1_2_00FDAF07
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cotizaci#U00f3n.PDF.exe.logJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: cotizaci#U00f3n.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: cotizaci#U00f3n.PDF.exeVirustotal: Detection: 25%
              Source: cotizaci#U00f3n.PDF.exeReversingLabs: Detection: 44%
              Source: unknownProcess created: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe 'C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess created: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: cotizaci#U00f3n.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: cotizaci#U00f3n.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: mscorrc.pdb source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.330831299.0000000002F90000.00000002.00000001.sdmp, cotizaci#U00f3n.PDF.exe, 00000001.00000002.596524498.0000000001230000.00000002.00000001.sdmp
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_05C03FCC push cs; retf 1_2_05C03FE3
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_05C03F59 push cs; retf 1_2_05C03F6F
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_05C04040 push cs; retf 1_2_05C04057
              Source: initial sampleStatic PE information: section name: .text entropy: 7.58326733905

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Uses an obfuscated file name to hide its real file extension (double extension)Show sources
              Source: Possible double extension: pdf.exeStatic PE information: cotizaci#U00f3n.PDF.exe
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.331838236.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.331899274.00000000033D8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cotizaci#U00f3n.PDF.exe PID: 3068, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.331838236.00000000033B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.331838236.00000000033B1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4828Thread sleep time: -51574s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4652Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -119564s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -59282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -88641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -58874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -117376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -117000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -58188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -58000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -86673s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -115188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -114748s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -57094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -85032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -113000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -112564s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -55782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -83391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -83061s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -82782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -82500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -81750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -81423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -54094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -80811s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -53594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -53374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -79782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -78891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -78561s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -78141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -77532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -77250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -51282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -75561s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -75141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -49688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -74250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -73923s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -96748s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -96376s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -70641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -70311s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -46374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -69282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -69000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -68250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -45282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -90188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -67311s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -66750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -66282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -66000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -65673s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -65061s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -43094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -42874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -42688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -42500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -63423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -63000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -41782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -62061s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -61782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -61500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -40688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -60423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -60141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -79748s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -59061s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -58782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -38782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -38282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -38094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -37874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -37188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -55500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -36782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -36500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -54423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -36094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -35874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -35688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -35500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -35188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -35000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -34782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -34594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -34094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -33874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -33500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -49500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -49173s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -32374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -32000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -47532s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -31094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -30874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -30594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -33750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -51188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -48594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -47688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -71250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -47282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -38594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -38374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -38000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -35374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -34500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -34188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -34000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -33188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -32094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -31874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -31188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -31000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -30094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -59594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -54782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -53688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -53500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -49094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -46500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -43000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -39688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe TID: 4824Thread sleep time: -30688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeLast function: Thread delayed
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.596429458.00000000011AA000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW\TempTMP=C:\UX$R>r
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.331838236.00000000033B1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.599838235.0000000005460000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.331838236.00000000033B1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.331838236.00000000033B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.599838235.0000000005460000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.599838235.0000000005460000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.600789959.00000000062C4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: cotizaci#U00f3n.PDF.exe, 00000000.00000002.331838236.00000000033B1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.599838235.0000000005460000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_02D67820 LdrInitializeThunk,1_2_02D67820
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeMemory written: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeProcess created: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exe C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeJump to behavior
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.596719904.00000000018A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.596719904.00000000018A0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.596719904.00000000018A0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
              Source: cotizaci#U00f3n.PDF.exe, 00000001.00000002.596719904.00000000018A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeCode function: 1_2_00FDB61E GetUserNameW,1_2_00FDB61E
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.595270003.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.598988023.00000000033C2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.598541150.0000000003311000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.332667962.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cotizaci#U00f3n.PDF.exe PID: 4696, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cotizaci#U00f3n.PDF.exe PID: 3068, type: MEMORY
              Source: Yara matchFile source: 1.2.cotizaci#U00f3n.PDF.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\cotizaci#U00f3n.PDF.exeFile opened: C:\Users\user\AppData\