Analysis Report SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

AV Detection:

Found malware configuration

Source: machineinfo.txt.2.dr.binstr

Malware Configuration Extractor: Raccoon Stealer {"Config: ": ["00000000 -> Raccoon | 1.7.3", "Build compile date: Sat Feb 27 21:25:06 2021", "Launched at: 2021.04.09 - 01:46:41 GMT", "Bot_ID: D06ED635-68F6-4E9A-955C-4899F5F57B9A_user", "Running on a desktop", "-------------", "- Cookies: 1", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: -8 hrs", "- IP: 185.32.222.8", "- Location: 47.431301, 8.562700 | Glattbrugg, Zurich, Switzerland (8152)", "- ComputerName: 123716", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (8125 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "-------------", "Installed Apps:", "Adobe Acrobat Reader DC (19.012.20035)", "Google Chrome (85.0.4183.121)", "Google Update Helper (1.3.35.451)", "Java 8 Update 211 (8.0.2110.12)", "Java Auto Updater (2.8.211.12)", "Update for Skype for Business 2016 (KB4484286) 32-Bit Edition", "-------------"]}

Multi AV Scanner detection for domain / URL

Source: telete.in

Virustotal: Detection: 11%

Perma Link

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe PID: 4516, type: MEMORY

Compliance:

Uses 32bit PE files

Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 172.217.168.33:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.230.68.40:443 -> 192.168.2.5:49727 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.2.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.2.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.2.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.2.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.2.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.2.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317274043.000000006D879000.00000002.00020000.sdmp, mozglue.dll.2.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.2.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.2.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.2.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.2.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.2.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.2.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317274043.000000006D879000.00000002.00020000.sdmp, mozglue.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.2.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.2.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.2.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.2.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.2.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.2.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.2.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.2.dr

Spreading:

Enumerates the file system

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\			Jump to behavior

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 195.201.225.248 195.201.225.248

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: doc-0o-7g-docs.googleusercontent.com

URLs found in memory or binary data

Source: nss3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: nss3.dll.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: nss3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.2.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://ocsp.accv.es0
Source: nss3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3.dll.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://repository.swisssign.com/0
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.313628670.000000000090E000.00000004.00000020.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: nss3.dll.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: nss3.dll.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: nss3.dll.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.2.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: nss3.dll.2.dr	String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.2.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.2.dr	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000003.302815241.000000001E191000.00000004.00000001.sdmp, RYwTiizs2t.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000003.302815241.000000001E191000.00000004.00000001.sdmp, RYwTiizs2t.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.313364575.0000000000561000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1sutNyIkGC4qW-TBVnnvzM8UZ9thch0vZ
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000003.302815241.000000001E191000.00000004.00000001.sdmp, RYwTiizs2t.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000003.302815241.000000001E191000.00000004.00000001.sdmp, RYwTiizs2t.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000003.302815241.000000001E191000.00000004.00000001.sdmp, RYwTiizs2t.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nssckbi.dll.2.dr	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.2.dr	String found in binary or memory: https://repository.luxtrust.lu0
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000003.302815241.000000001E191000.00000004.00000001.sdmp, RYwTiizs2t.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000003.302815241.000000001E191000.00000004.00000001.sdmp, RYwTiizs2t.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.313628670.000000000090E000.00000004.00000020.sdmp	String found in binary or memory: https://shehootastayonwhatshelirned.top/
Source: nssckbi.dll.2.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.2.dr	String found in binary or memory: https://www.catcert.net/verarrel05
Source: nss3.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.313628670.000000000090E000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000003.302815241.000000001E191000.00000004.00000001.sdmp, RYwTiizs2t.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 172.217.168.33:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.230.68.40:443 -> 192.168.2.5:49727 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 0_2_0041112C OpenClipboard,

0_2_0041112C

E-Banking Fraud:

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe PID: 4516, type: MEMORY

System Summary:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F0405 EnumWindows,NtSetInformationThread,		0_2_020F0405
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F4E3B NtProtectVirtualMemory,		0_2_020F4E3B
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F524D NtSetInformationThread,NtResumeThread,		0_2_020F524D
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F1E97 NtWriteVirtualMemory,		0_2_020F1E97
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F04EB NtSetInformationThread,		0_2_020F04EB
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F11BB NtSetInformationThread,		0_2_020F11BB
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F4DD5 NtProtectVirtualMemory,		0_2_020F4DD5

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 0_2_004016BC EntryPoint,#100,ExitWindowsEx,

0_2_004016BC

Detected potential crypto function

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 2_2_6D86BD8F		2_2_6D86BD8F
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 2_2_6D875F1F		2_2_6D875F1F
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 2_2_6D870229		2_2_6D870229

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: String function: 6D8690E5 appears 41 times

PE file contains more sections than normal

Source: sqlite3.dll.2.dr

Static PE information: Number of sections : 18 > 10

PE file contains strange resources

Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000000.00000000.225582009.000000000041A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUdlgni4.exe vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317097027.0000000066BD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.316993403.000000001E160000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.316942868.000000001DD80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317297784.000000006D882000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317595619.000000006D9DB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamenss3.dll8 vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.316959971.000000001DED0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317004200.000000001E170000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000000.249007512.000000000041A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUdlgni4.exe vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Binary or memory string: OriginalFilenameUdlgni4.exe vs SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Uses 32bit PE files

Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/67@3/4

Contains functionality for error logging

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 2_2_6D86ADB0 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

2_2_6D86ADB0

Creates files inside the user directory

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to behavior

Creates mutexes

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DFDD95C7EBD0200746.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: softokn3.dll.2.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.2.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.2.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.2.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.2.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.2.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.2.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe 'C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe'
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process created: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe 'C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe'
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process created: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe 'C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe'			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK			Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.2.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.2.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317531184.000000006D9A0000.00000002.00020000.sdmp, nss3.dll.2.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.2.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.2.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.2.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.2.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317274043.000000006D879000.00000002.00020000.sdmp, mozglue.dll.2.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.2.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.2.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.2.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.2.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.2.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.2.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317274043.000000006D879000.00000002.00020000.sdmp, mozglue.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.2.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.2.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.2.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.2.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.2.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.2.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.2.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.2.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.2.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.2.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.2.dr

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.313364575.0000000000561000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe PID: 4516, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe PID: 1688, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe PID: 4516, type: MEMORY
Source: Yara match	File source: Process Memory Space: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe PID: 1688, type: MEMORY

PE file contains sections with non-standard names

Source: sqlite3.dll.2.dr	Static PE information: section name: /4
Source: sqlite3.dll.2.dr	Static PE information: section name: /19
Source: sqlite3.dll.2.dr	Static PE information: section name: /31
Source: sqlite3.dll.2.dr	Static PE information: section name: /45
Source: sqlite3.dll.2.dr	Static PE information: section name: /57
Source: sqlite3.dll.2.dr	Static PE information: section name: /70
Source: sqlite3.dll.2.dr	Static PE information: section name: /81
Source: sqlite3.dll.2.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_00402462 pushfd ; iretd		0_2_00402491
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_0040327E push dword ptr [edi-4B012F33h]; retf		0_2_00403291
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_00402492 pushfd ; iretd		0_2_00402495
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_00402696 pushfd ; iretd		0_2_00402699
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_00402F6D pushfd ; iretd		0_2_00402F75
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_00403700 push fs; ret		0_2_00403799
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_00403326 pushfd ; iretd		0_2_00403329
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_004051DC pushfd ; iretd		0_2_004051DD
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_004043DD pushfd ; iretd		0_2_004043E1
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 2_2_6D878646 push ecx; ret		2_2_6D878659

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-locale-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\vcruntime140.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nss3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-localization-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-util-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\sqlite3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\qipcap.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\libEGL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-stdio-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy_InUse.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-time-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\breakpadinjector.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\msvcp140.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-utility-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleHandler.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-rtlsupport-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldif60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-process-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-string-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-interlocked-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\IA2Marshal.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-filesystem-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssdbm3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-sysinfo-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\prldap60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-conio-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldap60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-libraryloader-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32_InUse.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-heap-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-runtime-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ucrtbase.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssckbi.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-multibyte-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-handle-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleMarshal.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-environment-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-convert-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-profile-l1-1-0.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F524D NtSetInformationThread,NtResumeThread,		0_2_020F524D
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F05E9 TerminateProcess,		0_2_020F05E9

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

RDTSC instruction interceptor: First address: 00000000020F44C9 second address: 00000000020F44C9 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F98ECACAE88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp al, AAh 0x0000001f add edi, edx 0x00000021 dec dword ptr [ebp+000000F8h] 0x00000027 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002e jne 00007F98ECACAE65h 0x00000030 test bx, dx 0x00000033 test eax, edx 0x00000035 call 00007F98ECACAF42h 0x0000003a call 00007F98ECACAE98h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc

Tries to detect Any.run

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.313364575.0000000000561000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000020F44C9 second address: 00000000020F44C9 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F98ECACAE88h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp al, AAh 0x0000001f add edi, edx 0x00000021 dec dword ptr [ebp+000000F8h] 0x00000027 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002e jne 00007F98ECACAE65h 0x00000030 test bx, dx 0x00000033 test eax, edx 0x00000035 call 00007F98ECACAF42h 0x0000003a call 00007F98ECACAE98h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000020F44E9 second address: 00000000020F44E9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F98ECA5FF89h 0x0000001d popad 0x0000001e call 00007F98ECA5FCC1h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000020F0739 second address: 00000000020F0632 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop esi 0x00000004 cmp eax, 7C8AA9FDh 0x00000009 je 00007F98ECACEEE5h 0x0000000f cmp eax, 9B8FFB51h 0x00000014 je 00007F98ECACEEDAh 0x0000001a test cx, dx 0x0000001d cmp eax, 555E1691h 0x00000022 je 00007F98ECACEECCh 0x00000028 cmp eax, CE81C85Dh 0x0000002d je 00007F98ECACEEC1h 0x00000033 test ecx, eax 0x00000035 inc esi 0x00000036 cmp eax, ebx 0x00000038 cmp esi, 000000FFh 0x0000003e jne 00007F98ECACAD29h 0x00000044 mov edi, dword ptr [ebp+20h] 0x00000047 add edi, 00010000h 0x0000004d cmp ecx, edx 0x0000004f push edi 0x00000050 pushad 0x00000051 mov ebx, 000000A1h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000020F07CD second address: 00000000020F52F2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 00000000h 0x00000005 push 00000000h 0x00000007 test cx, dx 0x0000000a push eax 0x0000000b call 00007F98ECA64620h 0x00000010 call 00007F98ECA5FBB5h 0x00000015 pop ebx 0x00000016 sub ebx, 05h 0x00000019 jmp 00007F98ECA5FC4Dh 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000020F09E6 second address: 00000000020F52F2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov edx, ebp 0x00000005 add edx, 0000009Ch 0x0000000b test cx, dx 0x0000000e push edx 0x0000000f push 00000007h 0x00000011 push FFFFFFFFh 0x00000013 test ecx, eax 0x00000015 push eax 0x00000016 cmp eax, ebx 0x00000018 call 00007F98ECACF6CAh 0x0000001d call 00007F98ECACAE85h 0x00000022 pop ebx 0x00000023 sub ebx, 05h 0x00000026 jmp 00007F98ECACAF1Dh 0x0000002b pushad 0x0000002c lfence 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000020F1EF8 second address: 00000000020F52F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push dword ptr [ebp+4Ch] 0x0000000e cmp ax, dx 0x00000011 call 00007F98ECA61B38h 0x00000016 cmp ax, bx 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f cld 0x00000020 mov eax, dword ptr [eax+10h] 0x00000023 mov eax, dword ptr [eax+3Ch] 0x00000026 ret 0x00000027 push eax 0x00000028 push 00000000h 0x0000002a cmp eax, ecx 0x0000002c push dword ptr [ebp+50h] 0x0000002f call 00007F98ECA62EE2h 0x00000034 call 00007F98ECA5FBB5h 0x00000039 pop ebx 0x0000003a sub ebx, 05h 0x0000003d jmp 00007F98ECA5FC4Dh 0x00000042 pushad 0x00000043 lfence 0x00000046 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000020F20A6 second address: 00000000020F52F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [edi+14h], 00000000h 0x00000012 cmp ax, dx 0x00000015 cmp eax, ecx 0x00000017 push 00000000h 0x00000019 push 00000001h 0x0000001b cmp ebx, 3BD0C633h 0x00000021 sub edi, 20h 0x00000024 push edi 0x00000025 cmp ah, bh 0x00000027 add edi, 20h 0x0000002a push edi 0x0000002b cmp al, dl 0x0000002d push 00000001h 0x0000002f mov dword ptr [ebp+0000010Ch], 00000000h 0x00000039 mov eax, ebp 0x0000003b test cx, cx 0x0000003e add eax, 0000010Ch 0x00000043 push eax 0x00000044 push dword ptr [ebp+000000FCh] 0x0000004a call 00007F98ECACDFD8h 0x0000004f call 00007F98ECACAE85h 0x00000054 pop ebx 0x00000055 sub ebx, 05h 0x00000058 jmp 00007F98ECACAF1Dh 0x0000005d pushad 0x0000005e lfence 0x00000061 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000020F2149 second address: 00000000020F52F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov edi, dword ptr [ebp+20h] 0x0000000e cmp ax, dx 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push 00000002h 0x00000017 cmp eax, ecx 0x00000019 mov eax, ebp 0x0000001b add eax, 00000100h 0x00000020 mov dword ptr [eax], 00000000h 0x00000026 cmp ebx, 26C6D910h 0x0000002c push eax 0x0000002d cmp ah, bh 0x0000002f push 00000000h 0x00000031 cmp al, dl 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 mov eax, ebp 0x00000039 test cx, cx 0x0000003c add eax, 00000104h 0x00000041 mov dword ptr [eax], 00400000h 0x00000047 push eax 0x00000048 push dword ptr [edi+00000800h] 0x0000004e push dword ptr [ebp+00000108h] 0x00000054 push dword ptr [ebp+3Ch] 0x00000057 call 00007F98ECA62C58h 0x0000005c call 00007F98ECA5FBB5h 0x00000061 pop ebx 0x00000062 sub ebx, 05h 0x00000065 jmp 00007F98ECA5FC4Dh 0x0000006a pushad 0x0000006b lfence 0x0000006e rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000020F2338 second address: 00000000020F52F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov ecx, dword ptr [ebp+20h] 0x0000000e cmp ax, dx 0x00000011 add ecx, 00004100h 0x00000017 mov dword ptr [ecx], 00010007h 0x0000001d cmp eax, ecx 0x0000001f push ecx 0x00000020 push dword ptr [edi+00000804h] 0x00000026 cmp ebx, 0E80C626h 0x0000002c push dword ptr [ebp+28h] 0x0000002f cmp ah, bh 0x00000031 call 00007F98ECACDD5Fh 0x00000036 call 00007F98ECACAE85h 0x0000003b pop ebx 0x0000003c sub ebx, 05h 0x0000003f jmp 00007F98ECACAF1Dh 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000005644E9 second address: 00000000005644E9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F98ECA5FF89h 0x0000001d popad 0x0000001e call 00007F98ECA5FCC1h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 0000000000560739 second address: 0000000000560632 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop esi 0x00000004 cmp eax, 7C8AA9FDh 0x00000009 je 00007F98ECACEEE5h 0x0000000f cmp eax, 9B8FFB51h 0x00000014 je 00007F98ECACEEDAh 0x0000001a test cx, dx 0x0000001d cmp eax, 555E1691h 0x00000022 je 00007F98ECACEECCh 0x00000028 cmp eax, CE81C85Dh 0x0000002d je 00007F98ECACEEC1h 0x00000033 test ecx, eax 0x00000035 inc esi 0x00000036 cmp eax, ebx 0x00000038 cmp esi, 000000FFh 0x0000003e jne 00007F98ECACAD29h 0x00000044 mov edi, dword ptr [ebp+20h] 0x00000047 add edi, 00010000h 0x0000004d cmp ecx, edx 0x0000004f push edi 0x00000050 pushad 0x00000051 mov ebx, 000000A1h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000005607CD second address: 00000000005652F2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push 00000000h 0x00000005 push 00000000h 0x00000007 test cx, dx 0x0000000a push eax 0x0000000b call 00007F98ECA64620h 0x00000010 call 00007F98ECA5FBB5h 0x00000015 pop ebx 0x00000016 sub ebx, 05h 0x00000019 jmp 00007F98ECA5FC4Dh 0x0000001e pushad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 00000000005609E6 second address: 00000000005652F2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov edx, ebp 0x00000005 add edx, 0000009Ch 0x0000000b test cx, dx 0x0000000e push edx 0x0000000f push 00000007h 0x00000011 push FFFFFFFFh 0x00000013 test ecx, eax 0x00000015 push eax 0x00000016 cmp eax, ebx 0x00000018 call 00007F98ECACF6CAh 0x0000001d call 00007F98ECACAE85h 0x00000022 pop ebx 0x00000023 sub ebx, 05h 0x00000026 jmp 00007F98ECACAF1Dh 0x0000002b pushad 0x0000002c lfence 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 000000000056164E second address: 00000000005652F2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push FFFFFFFFh 0x00000005 push dword ptr [ebp+24h] 0x00000008 cmp eax, edx 0x0000000a call 00007F98ECA637A0h 0x0000000f call 00007F98ECA5FBB5h 0x00000014 pop ebx 0x00000015 sub ebx, 05h 0x00000018 jmp 00007F98ECA5FC4Dh 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	RDTSC instruction interceptor: First address: 0000000000561A8B second address: 00000000005652F2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [eax+08h], 00400000h 0x00000012 cmp bh, ch 0x00000014 mov eax, dword ptr [eax+0Ch] 0x00000017 mov eax, dword ptr [eax+14h] 0x0000001a mov dword ptr [eax+10h], 00400000h 0x00000021 cmp bh, bh 0x00000023 cmp ax, 00009409h 0x00000027 test ax, bx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e cmp ebx, 99359DB0h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 cmp dl, FFFFFFA3h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push dword ptr [ebp+000000C0h] 0x00000044 call 00007F98ECACE5F9h 0x00000049 call 00007F98ECACAE85h 0x0000004e pop ebx 0x0000004f sub ebx, 05h 0x00000052 jmp 00007F98ECACAF1Dh 0x00000057 pushad 0x00000058 lfence 0x0000005b rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 0_2_020F524D rdtsc

0_2_020F524D

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-locale-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-localization-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-util-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\qipcap.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\libEGL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-stdio-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy_InUse.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-time-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\breakpadinjector.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-utility-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleHandler.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldif60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-rtlsupport-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-process-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-string-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-interlocked-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\IA2Marshal.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-filesystem-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssdbm3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-sysinfo-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\prldap60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-conio-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldap60.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-libraryloader-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32_InUse.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-heap-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-runtime-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssckbi.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-multibyte-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-handle-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-environment-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleMarshal.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-convert-l1-1-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-profile-l1-1-0.dll			Jump to dropped file

Is looking for software installed on the system

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 6780

Thread sleep count: 84 > 30

Jump to behavior

Contains functionality to query system information

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 2_2_6D86199C GetSystemInfo,MapViewOfFile,

2_2_6D86199C

Enumerates the file system

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317097027.0000000066BD0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317097027.0000000066BD0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.313364575.0000000000561000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317097027.0000000066BD0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe, 00000002.00000002.317097027.0000000066BD0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 0_2_020F0405 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000048,00000000,00020040,00000000

0_2_020F0405

Hides threads from debuggers

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 0_2_020F524D rdtsc

0_2_020F524D

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 0_2_020F3032 LdrInitializeThunk,

0_2_020F3032

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 2_2_6D86308C IsDebuggerPresent,OutputDebugStringA,_dup,_fdopen,__vfprintf_l,fclose,

2_2_6D86308C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F4238 mov eax, dword ptr fs:[00000030h]		0_2_020F4238
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F144F mov eax, dword ptr fs:[00000030h]		0_2_020F144F
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F1A66 mov eax, dword ptr fs:[00000030h]		0_2_020F1A66
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F1897 mov eax, dword ptr fs:[00000030h]		0_2_020F1897
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F3E91 mov eax, dword ptr fs:[00000030h]		0_2_020F3E91
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F4926 mov eax, dword ptr fs:[00000030h]		0_2_020F4926
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 0_2_020F2535 mov eax, dword ptr fs:[00000030h]		0_2_020F2535

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 2_2_6D8784D6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_6D8784D6
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Code function: 2_2_6D877414 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		2_2_6D877414

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Process created: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe 'C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK			Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 2_2_6D86149E cpuid

2_2_6D86149E

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Code function: 2_2_6D86B95E GetSystemTimeAdjustment,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

2_2_6D86B95E

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe PID: 4516, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings			Jump to behavior
Source: C:\Users\user\Desktop\SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Remote Access Functionality:

Yara detected Raccoon Stealer

Source: Yara match

File source: Process Memory Space: SOLICITUD DE PRESUPUESTO 08-04-2021#U00b7pdf.exe PID: 4516, type: MEMORY