Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report GU#U00cdA DE CARGA...exe

Overview

General Information

Sample Name:GU#U00cdA DE CARGA...exe
Analysis ID:491666
MD5:fcce8f5a7e5fcdf78c02d6543c1af2bd
SHA1:b2ea7197933811fc65425d46324af8ee231117f3
SHA256:9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0
Tags:ESPexegeoSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Snake Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Telegram RAT
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • GU#U00cdA DE CARGA...exe (PID: 2848 cmdline: 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe' MD5: FCCE8F5A7E5FCDF78C02D6543C1AF2BD)
    • GU#U00cdA DE CARGA...exe (PID: 400 cmdline: 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe' MD5: FCCE8F5A7E5FCDF78C02D6543C1AF2BD)
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "24310@24310.gr", "Password": "?_bEpvL{rN$%", "Host": "mail.24310.gr", "Port": "themainlogs@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
  • 0x2bb78:$a2: \Comodo\Dragon\User Data\Default\Login Data
  • 0x2ad61:$a3: \Google\Chrome\User Data\Default\Login Data
  • 0x2b1a8:$a4: \Orbitum\User Data\Default\Login Data
  • 0x2c329:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1a720:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x19909:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x19d50:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1aed1:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x2bb78:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x2ad61:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x2b1a8:$a4: \Orbitum\User Data\Default\Login Data
        • 0x2c329:$a5: \Kometa\User Data\Default\Login Data
        2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x2bb78:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x2ad61:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x2b1a8:$a4: \Orbitum\User Data\Default\Login Data
              • 0x2c329:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 67 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpackMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "24310@24310.gr", "Password": "?_bEpvL{rN$%", "Host": "mail.24310.gr", "Port": "themainlogs@gmail.com"}
              Machine Learning detection for sampleShow sources
              Source: GU#U00cdA DE CARGA...exeJoe Sandbox ML: detected
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dllJoe Sandbox ML: detected
              Source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpackAvira: Label: TR/Spy.Gen
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpackAvira: Label: TR/Dropper.Gen

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack
              Detected unpacking (creates a PE file in dynamic memory)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack
              Source: GU#U00cdA DE CARGA...exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49741 version: TLS 1.0
              Source: Binary string: wntdll.pdbUGP source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00405EC2 FindFirstFileA,FindClose,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00402671 FindFirstFileA,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FE9A7h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FE547h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FC868h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FD290h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FE0E7h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FDC87h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FCCC9h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FEE07h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FD290h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 047FD290h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580A049h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580D469h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580A4A1h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580CBB9h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05809BF1h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580D011h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05809341h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580C761h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05809799h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580BEB1h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05808EE9h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580C309h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05808639h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580BA59h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05808A91h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580B1A9h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580B601h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580AD51h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580D8C1h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580A8F9h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 0580DD19h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05824831h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058236A9h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05825991h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058229A1h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058243D9h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05825539h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05822549h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05823F82h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05823251h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058220C9h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 058250E1h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05824C89h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05823B01h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05825DE9h
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 4x nop then jmp 05822DF9h

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeDNS query: name: checkip.dyndns.org
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeDNS query: name: checkip.dyndns.org
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeDNS query: name: checkip.dyndns.org
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeDNS query: name: checkip.dyndns.org
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: global trafficHTTP traffic detected: GET /xml/185.189.150.72 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 216.146.43.70 216.146.43.70
              Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.5:49741 version: TLS 1.0
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: GU#U00cdA DE CARGA...exeString found in binary or memory: http://checkip.dyndns.org/
              Source: GU#U00cdA DE CARGA...exe, 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
              Source: GU#U00cdA DE CARGA...exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: GU#U00cdA DE CARGA...exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: GU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
              Source: GU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpString found in binary or memory: https://freegeoip.app/xml/
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/185.189.150.72
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/185.189.150.72x
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4
              Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET /xml/185.189.150.72 HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: GU#U00cdA DE CARGA...exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00406354
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00404802
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00406B2B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333BA95
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333BA86
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0040A2A5
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047F3430
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047F8570
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FE6E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047F5070
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FE28B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FD308
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FBE7F
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FDE29
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FD9C8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047F4A48
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FCA0E
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FEB4B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FD2FB
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FB3A0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FB390
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05809DA0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580D1C0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580F5C0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05800DE8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580A1F8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C910
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05809948
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580CD68
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05809098
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C4B8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058094F0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580BC08
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05808C40
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C060
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05808390
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580B7B0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058087E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580AF00
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05805308
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580B358
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580AAA8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580DEC8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580D618
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580A650
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580DA70
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05809D93
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580D1B0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05800DE2
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580A1E9
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C900
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580F519
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580993C
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05804950
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580CD58
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05804960
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580908B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C4AC
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058094E3
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05808C30
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580C053
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580B7A1
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058087D9
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580BBFC
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580B34B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580837F
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580AA9B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580AEF3
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580D60B
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580A640
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0580DA63
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05824588
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05826548
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058284C8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05823400
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058297B8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058256E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058226F8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058271E8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05824130
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05829168
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058210B8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058203B8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05825290
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058222A0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05823CD8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05822FA8
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05829E00
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05821E20
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05824E38
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05827E78
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058249E0
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05827830
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05823858
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05826B98
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05828B18
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05825B40
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05822B50
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_05826537
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0582457C
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_058284B8
              Source: GU#U00cdA DE CARGA...exe, 00000001.00000003.260420482.000000000EAFF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs GU#U00cdA DE CARGA...exe
              Source: GU#U00cdA DE CARGA...exe, 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStubV4.exeR vs GU#U00cdA DE CARGA...exe
              Source: GU#U00cdA DE CARGA...exeBinary or memory string: OriginalFilename vs GU#U00cdA DE CARGA...exe
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameStubV4.exeR vs GU#U00cdA DE CARGA...exe
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.521805997.0000000000197000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs GU#U00cdA DE CARGA...exe
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeJump to behavior
              Source: GU#U00cdA DE CARGA...exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile created: C:\Users\user\AppData\Local\Temp\nsp29F7.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@3/2
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00402053 CoCreateInstance,MultiByteToWideChar,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
              Source: GU#U00cdA DE CARGA...exeString found in binary or memory: F-Stopw
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, ?u07fb?ufffd?/u06e8??u0097u005e.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Binary string: wntdll.pdbUGP source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: GU#U00cdA DE CARGA...exe, 00000001.00000003.265170689.000000000E9E0000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
              Detected unpacking (creates a PE file in dynamic memory)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeUnpacked PE file: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401F16 push ecx; ret
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile created: C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dllJump to dropped file
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00405EC2 FindFirstFileA,FindClose,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_00402671 FindFirstFileA,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00404A29 FindFirstFileExW,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_004067FE GetProcessHeap,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B472 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B737 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B776 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B7B4 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_7333B686 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_047FD308 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeMemory allocated: page read and write | page guard
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401E1D SetUnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, ?u060c??ufffd/?ufffdu060c??.csReference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
              Source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, ufffdu061d???/B??ufffd?.csReference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeMemory written: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeProcess created: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe 'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
              Source: GU#U00cdA DE CARGA...exe, 00000002.00000002.523744753.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_0040208D cpuid
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeCode function: 1_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

              Stealing of Sensitive Information:

              barindex
              Yara detected Snake KeyloggerShow sources
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Yara detected Telegram RATShow sources
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 2848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 400, type: MEMORYSTR
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\GU#U00cdA DE CARGA...exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 2848, type: MEMORYSTR

              Remote Access Functionality:

              barindex
              Yara detected Snake KeyloggerShow sources
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Yara detected Telegram RATShow sources
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.674a90.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.47b0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.3295530.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e800000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.GU#U00cdA DE CARGA...exe.415058.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.GU#U00cdA DE CARGA...exe.415058.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.GU#U00cdA DE CARGA...exe.e811458.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 2848, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: GU#U00cdA DE CARGA...exe PID: 400, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection112Disable or Modify Tools1OS Credential Dumping2System Time Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
              Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing31LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery26Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              GU#U00cdA DE CARGA...exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll9%ReversingLabsWin32.Trojan.InjectorX

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              2.1.GU#U00cdA DE CARGA...exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              1.2.GU#U00cdA DE CARGA...exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
              1.0.GU#U00cdA DE CARGA...exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
              2.2.GU#U00cdA DE CARGA...exe.4830000.5.unpack100%AviraTR/Spy.GenDownload File
              2.2.GU#U00cdA DE CARGA...exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
              2.0.GU#U00cdA DE CARGA...exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

              Domains

              SourceDetectionScannerLabelLink
              freegeoip.app3%VirustotalBrowse
              checkip.dyndns.com0%VirustotalBrowse
              checkip.dyndns.org1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://checkip.dyndns.org40%URL Reputationsafe
              https://freegeoip.app/xml/0%URL Reputationsafe
              http://checkip.dyndns.org/0%URL Reputationsafe
              http://checkip.dyndns.org/q0%URL Reputationsafe
              https://freegeoip.app/xml/185.189.150.720%Avira URL Cloudsafe
              https://freegeoip.app0%URL Reputationsafe
              http://checkip.dyndns.org0%URL Reputationsafe
              https://freegeoip.app40%URL Reputationsafe
              http://checkip.dyndns.com0%VirustotalBrowse
              http://checkip.dyndns.com0%Avira URL Cloudsafe
              http://freegeoip.app0%URL Reputationsafe
              https://freegeoip.app/xml/185.189.150.72x0%Avira URL Cloudsafe
              http://checkip.dyndns.orgD80%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              freegeoip.app
              		104.21.19.200
              		truefalseunknown
              checkip.dyndns.com
              		216.146.43.70
              		truefalseunknown
              checkip.dyndns.org
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://checkip.dyndns.org/false
              • URL Reputation: safe
              		unknown
              https://freegeoip.app/xml/185.189.150.72false
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://checkip.dyndns.org4GU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://freegeoip.app/xml/GU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://nsis.sf.net/NSIS_ErrorGU#U00cdA DE CARGA...exefalse
                		high
                https://api.telegram.org/botGU#U00cdA DE CARGA...exe, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpfalse
                  		high
                  http://checkip.dyndns.org/qGU#U00cdA DE CARGA...exe, 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, GU#U00cdA DE CARGA...exe, 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://freegeoip.appGU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.orgGU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://freegeoip.app4GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.comGU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorErrorGU#U00cdA DE CARGA...exefalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGU#U00cdA DE CARGA...exe, 00000002.00000002.524448122.0000000002291000.00000004.00000001.sdmpfalse
                      		high
                      http://freegeoip.appGU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://freegeoip.app/xml/185.189.150.72xGU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://checkip.dyndns.orgD8GU#U00cdA DE CARGA...exe, 00000002.00000002.524828166.0000000002337000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      216.146.43.70
                      		checkip.dyndns.comUnited States
                      		33517DYNDNSUSfalse
                      104.21.19.200
                      		freegeoip.appUnited States
                      		13335CLOUDFLARENETUSfalse

                      General Information

                      Joe Sandbox Version:33.0.0 White Diamond
                      Analysis ID:491666
                      Start date:27.09.2021
                      Start time:19:42:44
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 9m 37s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:GU#U00cdA DE CARGA...exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:21
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@3/2@3/2
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 27.9% (good quality ratio 17.8%)
                      • Quality average: 52.1%
                      • Quality standard deviation: 43.6%
                      HCA Information:
                      • Successful, ratio: 81%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 23.54.113.53, 95.100.54.203, 20.50.102.62, 23.0.174.200, 23.0.174.185, 40.112.88.60, 20.82.210.154, 23.10.249.43, 23.10.249.26
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      216.146.43.70RFQ-847393.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Draft_scanned_copy.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      temp order.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      PI.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      PO.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      ECueDLG20M.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      AVB CMAU6526450 40HC COI2100105.docGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      ABONOF2201.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      SWIFT_COPY USD 13420.60.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      SHIPPING DOC (CI,COO,PL,BL).exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      PO09858.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      Po#6672.pdf.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      swift.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      7BBm3Ns3nA.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      RFQ-847393.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      RFQ.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      MONRAC E FATURA 15.09.2021.pdf.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      doc03589220210903102454.pdf.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      dFFHjYOuICF2IOc.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/
                      PO.exeGet hashmaliciousBrowse
                      • checkip.dyndns.org/

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      checkip.dyndns.comTT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 132.226.247.73
                      01_extracted.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      SOA.exeGet hashmaliciousBrowse
                      • 193.122.6.168
                      S.O.A.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                      • 132.226.247.73
                      #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      DHL NOTIFICATIONS.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      DHL NOTIFICATION.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      2acrvok36Y.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      Pendants.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      09876567824567890987654.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      DHL Awb_ Docs 5544834610_pdf.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      NS. ORDINE N. 141.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      cash payment.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      TT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 158.101.44.242
                      Swift_6408372.exeGet hashmaliciousBrowse
                      • 193.122.130.0
                      RFQ-847393.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      KLC45E_92421_PI.exeGet hashmaliciousBrowse
                      • 132.226.247.73
                      Yeni sipari#U015f _WJO-001, pdf.exeGet hashmaliciousBrowse
                      • 132.226.8.169
                      freegeoip.appTT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      01_extracted.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      SOA.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      S.O.A.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      DHL NOTIFICATIONS.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      DHL NOTIFICATION.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      2acrvok36Y.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      Exodus.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Pendants.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      09876567824567890987654.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      DHL Awb_ Docs 5544834610_pdf.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      NS. ORDINE N. 141.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      cash payment.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      TT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Swift_6408372.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      RFQ-847393.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      KLC45E_92421_PI.exeGet hashmaliciousBrowse
                      • 104.21.19.200

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      DYNDNSUSDHL NOTIFICATION.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      09876567824567890987654.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      RFQ-847393.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      TinphatPO0090221_Xlsx.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      ORD4367 _WJO-001, pdf.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      TT3456522345.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      Draft_scanned_copy.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      temp order.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      PI.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      PO.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      ECueDLG20M.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      AVB CMAU6526450 40HC COI2100105.docGet hashmaliciousBrowse
                      • 216.146.43.70
                      PO 4500151298.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      ABONOF2201.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      hSqkX3ZIw4.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      MIKPRON GROUP - MATERIAL-REQUIREMENTS.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      SWIFT_COPY USD 13420.60.exeGet hashmaliciousBrowse
                      • 216.146.43.70
                      pF4vlHFijX.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      22234678762234500009000.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      AD4y5D8a4c.exeGet hashmaliciousBrowse
                      • 216.146.43.71
                      CLOUDFLARENETUSTT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Original Shipping documents.exeGet hashmaliciousBrowse
                      • 162.159.129.233
                      Image-Scan-80195056703950029289.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      RHgAncmh0E.exeGet hashmaliciousBrowse
                      • 162.159.135.233
                      InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                      • 162.159.129.233
                      InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                      • 162.159.130.233
                      01_extracted.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      InvPixcareer.-5589234_20210927.xlsbGet hashmaliciousBrowse
                      • 162.159.135.233
                      INQUIRY LIST.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      qJvDfzBXbsGet hashmaliciousBrowse
                      • 104.16.180.49
                      YTHK21082400.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      Silver_Light_Group_DOC03027321122.exeGet hashmaliciousBrowse
                      • 162.159.129.233
                      Sht1aYGDIXGet hashmaliciousBrowse
                      • 1.3.103.27
                      26222021 114007 a.m. Owa Outlook App.htmlGet hashmaliciousBrowse
                      • 104.16.19.94
                      Taskmgr.exeGet hashmaliciousBrowse
                      • 162.159.134.233
                      SOA.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      SWIFT ADVISE VD20092021.Pdf.exeGet hashmaliciousBrowse
                      • 162.159.129.233
                      xccHIJ0vo7.exeGet hashmaliciousBrowse
                      • 162.159.133.233
                      S.O.A.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      9Fq3K0VfLK.exeGet hashmaliciousBrowse
                      • 162.159.134.233

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      54328bd36c14bd82ddaa0c04b25ed9adq2D8haqKv5.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      TT09876545678T8R456.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Original Shipping documents.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      TAX INVOICE_CCU-30408495_00942998_20180910_194738.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      RHgAncmh0E.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      01_extracted.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      INQUIRY LIST.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      YTHK21082400.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      Taskmgr.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      SOA.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      SWIFT ADVISE VD20092021.Pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      xccHIJ0vo7.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      S.O.A.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      9Fq3K0VfLK.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      LFC _ X#U00e1c nh#U1eadn #U0111#U01a1n h#U00e0ng _ Kh#U1ea9n c#U1ea5p,pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      #U0916#U0930#U0940#U0926 #U0906#U0926#U0947#U0936-34002174,pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      DHL NOTIFICATIONS.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      DHL NOTIFICATION.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      #Uc7ac #Uc8fc#Ubb38 #Ud655#Uc778,pdf.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      P.O-20210927041575.exeGet hashmaliciousBrowse
                      • 104.21.19.200

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\150qx0uurbj07478t
                      Process:C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      File Type:data
                      Category:dropped
                      Size (bytes):286207
                      Entropy (8bit):7.97789916669033
                      Encrypted:false
                      SSDEEP:6144:guGADqFm61UqReSJr/m81S3kqvtxmZr7pEyAqR7WJuVcQTJYiL2A01:HGADqVLReSJcMr7nAE7WJeJY+2b1
                      MD5:58E960ADA46422911469C6736EC07378
                      SHA1:8E6E429BA453A550DEEAC0143F5A89B0BE16A90E
                      SHA-256:4A32B80C0753D81B6675D53341FD77D1622C9AE376F2D6654FD2A20FB8E5749E
                      SHA-512:54337928AAA67D141916602756C25698174E72E9156BAF742A91E28FA7AFF2E01BD9FC67B920FACE07DDC0889BD12B0E33A79D632BB456700DEC27469CF474DC
                      Malicious:false
                      Reputation:low
                      Preview: 4...rZ....*7..7...Y^.s .......5m.....5.O.OV..Y.g..$Sk.?.H.k.......3@..+.j....<.w...^.........\6m.S..4..B.T7.....=.^....:...Q..E.G.L~...*Oi.Z..tr..P..T82u...zb...=8;........9.9....>G/...5F*..E..i....F=c........@...S$.>68...g......17...M.$y!_/.L.KZ...y*7.S..w...s ........TjQ....5.O..V..Y.3..$S..?..k.....=V.@.35.]j#...un[5j..v....H... t%...q..L.AV^....W.1.;zj.^.Y..:...+p;c.|OY........K.W.x.#M.VBK..........,L9..X..%.s..~.U.P..{.q&...b4.C.?..M.~.._'...2.C.....qV..x..pE.....4..C...M.$y!_>..dZ...j*7..7..Y^. .......5m...z.5....A.Y...$S..?...k.....aV.@a35.]a#@........v...!H.>.. .%._R...L.AV9....6.<.;.i...3&.:....+:~c...Yh.>...>.*.l.x.#M.VBG.s$v.....D...9Fl....hs..~.U.P..{.q....b4.C.?..1.~x._'...2.C..X...'..x..pE.....4..C...M.$y!_/.L.KZ....*7..7..Y^.s .......5m.....5.O.OV..Y.g..$Sk.?.H.k.....aV.@a35.]a#...u.[.j..v...!H._.. t%._.q..L.AV9....6.1.;zj.^....:...+p;c.$.Yh.....>.*.l.x.#M.VBK..........,L9Fq...%.s..~.U.P..{.q&...b4.C.?..1.~x._'...2.C..X...'..
                      C:\Users\user\AppData\Local\Temp\nsk2A27.tmp\sbolbwplhfo.dll
                      Process:C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):6.207441110517842
                      Encrypted:false
                      SSDEEP:768:yiljJiW4mQHeRfNzHMUNAf7momUEKRnJyQuJYDc2y2NnAHKlv/JWQvI2jIRo1imj:ljJiW4qzSzxvlv/JWQVZHVuIXxCReqdC
                      MD5:1982C77D094D91EA36D299F4E8879B9E
                      SHA1:4FAF7DD4BF9F8BEC2C0F421980B8FB2AB628835D
                      SHA-256:7660CDD2DB7356C36ACB9D2472AC2C89EBDFD79EEF56DE9DBFED34FCDE381790
                      SHA-512:75CA8A3BA5DD36C30805C13F5739F9E868D48AAA84D20A1E3B58923580726E40A3E4B850C66646CA1EE9AE46AE7A8ACCFF089D5BADE2677D7E8B4438087ED3BA
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 9%
                      Reputation:low
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.3...`...`...`.o.a...`.o.a...`...`...`vS.a...`vS.a...`sS6`...`vS.a...`Rich...`........PE..L.....Qa...........!.....j...R............................................................@.........................0...H...t........................................................................................................................text....h.......j.................. ..`.bss.....................................rdata..,............n..............@..@.data...:6.......8...~..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                      Entropy (8bit):7.911140442126515
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:GU#U00cdA DE CARGA...exe
                      File size:325929
                      MD5:fcce8f5a7e5fcdf78c02d6543c1af2bd
                      SHA1:b2ea7197933811fc65425d46324af8ee231117f3
                      SHA256:9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0
                      SHA512:dbdb5ca75513d15f94a14ca771fbb55e3d4ba204b3d9ce243327b439e28ffd01c4a7f7ee7dda34c43ac1c3f51c5abd420ccb54af1e80d32e5c7cbe899b787537
                      SSDEEP:6144:F8LxBs9fvNLROF9fYjzpeoG7DDCImlUR7WJDVcQTJ8iL2A03cu:/p1LQUj9eL7SIm87WJHJ8+2b3cu
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

                      File Icon

                      Icon Hash:b2a88c96b2ca6a72

                      Static PE Info

                      General

                      Entrypoint:0x40312a
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      DLL Characteristics:TERMINAL_SERVER_AWARE
                      Time Stamp:0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:b76363e9cb88bf9390860da8e50999d2

                      Entrypoint Preview

                      Instruction
                      sub esp, 00000184h
                      push ebx
                      push ebp
                      push esi
                      push edi
                      xor ebx, ebx
                      push 00008001h
                      mov dword ptr [esp+20h], ebx
                      mov dword ptr [esp+14h], 00409168h
                      mov dword ptr [esp+1Ch], ebx
                      mov byte ptr [esp+18h], 00000020h
                      call dword ptr [004070B0h]
                      call dword ptr [004070ACh]
                      cmp ax, 00000006h
                      je 00007FB3FCD28603h
                      push ebx
                      call 00007FB3FCD2B3E4h
                      cmp eax, ebx
                      je 00007FB3FCD285F9h
                      push 00000C00h
                      call eax
                      mov esi, 00407280h
                      push esi
                      call 00007FB3FCD2B360h
                      push esi
                      call dword ptr [00407108h]
                      lea esi, dword ptr [esi+eax+01h]
                      cmp byte ptr [esi], bl
                      jne 00007FB3FCD285DDh
                      push 0000000Dh
                      call 00007FB3FCD2B3B8h
                      push 0000000Bh
                      call 00007FB3FCD2B3B1h
                      mov dword ptr [0042EC24h], eax
                      call dword ptr [00407038h]
                      push ebx
                      call dword ptr [0040726Ch]
                      mov dword ptr [0042ECD8h], eax
                      push ebx
                      lea eax, dword ptr [esp+38h]
                      push 00000160h
                      push eax
                      push ebx
                      push 00429058h
                      call dword ptr [0040715Ch]
                      push 0040915Ch
                      push 0042E420h
                      call 00007FB3FCD2AFE4h
                      call dword ptr [0040710Ch]
                      mov ebp, 00434000h
                      push eax
                      push ebp
                      call 00007FB3FCD2AFD2h
                      push ebx
                      call dword ptr [00407144h]

                      Rich Headers

                      Programming Language:
                      • [EXP] VC++ 6.0 SP5 build 8804

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x75240xa0.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x9e0.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x5e660x6000False0.670572916667data6.44065573436IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      .rdata0x70000x12a20x1400False0.4455078125data5.0583287871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x90000x25d180x600False0.458984375data4.18773476617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                      .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x370000x9e00xa00False0.45390625data4.4968702957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_ICON0x371900x2e8dataEnglishUnited States
                      RT_DIALOG0x374780x100dataEnglishUnited States
                      RT_DIALOG0x375780x11cdataEnglishUnited States
                      RT_DIALOG0x376980x60dataEnglishUnited States
                      RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                      RT_MANIFEST0x377100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                      USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                      ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 27, 2021 19:43:58.692723989 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.731369019 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.735291004 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.736373901 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.775042057 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.775068998 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.775084972 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.775247097 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.777354002 CEST4973980192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.818202019 CEST8049739216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.939796925 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.980545044 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:58.980680943 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:58.981575012 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:59.019995928 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:59.020028114 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:59.020040989 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:43:59.020114899 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:59.020462990 CEST4974080192.168.2.5216.146.43.70
                      Sep 27, 2021 19:43:59.058743954 CEST8049740216.146.43.70192.168.2.5
                      Sep 27, 2021 19:44:00.376888037 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.376948118 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.378215075 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.454566956 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.454607010 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.501405954 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.501524925 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.506860018 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:00.506887913 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.507334948 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:00.550594091 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:01.994297028 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:02.035144091 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:02.056082010 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:02.056166887 CEST44349741104.21.19.200192.168.2.5
                      Sep 27, 2021 19:44:02.056307077 CEST49741443192.168.2.5104.21.19.200
                      Sep 27, 2021 19:44:02.060013056 CEST49741443192.168.2.5104.21.19.200

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 27, 2021 19:43:42.217348099 CEST6206053192.168.2.58.8.8.8
                      Sep 27, 2021 19:43:42.238398075 CEST53620608.8.8.8192.168.2.5
                      Sep 27, 2021 19:43:53.645126104 CEST6180553192.168.2.58.8.8.8
                      Sep 27, 2021 19:43:53.683273077 CEST53618058.8.8.8192.168.2.5
                      Sep 27, 2021 19:43:58.510322094 CEST5479553192.168.2.58.8.8.8
                      Sep 27, 2021 19:43:58.523349047 CEST53547958.8.8.8192.168.2.5
                      Sep 27, 2021 19:43:58.534156084 CEST4955753192.168.2.58.8.8.8
                      Sep 27, 2021 19:43:58.546883106 CEST53495578.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:00.354196072 CEST6173353192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:00.374561071 CEST53617338.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:13.677108049 CEST6544753192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:13.691576004 CEST53654478.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:30.873433113 CEST5244153192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:30.893045902 CEST53524418.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:35.501491070 CEST6217653192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:35.534218073 CEST53621768.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:49.152272940 CEST5959653192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:49.180003881 CEST53595968.8.8.8192.168.2.5
                      Sep 27, 2021 19:44:51.560977936 CEST6529653192.168.2.58.8.8.8
                      Sep 27, 2021 19:44:51.588670969 CEST53652968.8.8.8192.168.2.5
                      Sep 27, 2021 19:45:25.898906946 CEST6318353192.168.2.58.8.8.8
                      Sep 27, 2021 19:45:25.926074982 CEST53631838.8.8.8192.168.2.5
                      Sep 27, 2021 19:45:27.594351053 CEST6015153192.168.2.58.8.8.8
                      Sep 27, 2021 19:45:27.628565073 CEST53601518.8.8.8192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Sep 27, 2021 19:43:58.510322094 CEST192.168.2.58.8.8.80xcbd0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.534156084 CEST192.168.2.58.8.8.80x4482Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                      Sep 27, 2021 19:44:00.354196072 CEST192.168.2.58.8.8.80x13d6Standard query (0)freegeoip.appA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.523349047 CEST8.8.8.8192.168.2.50xcbd0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)
                      Sep 27, 2021 19:43:58.546883106 CEST8.8.8.8192.168.2.50x4482No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                      Sep 27, 2021 19:44:00.374561071 CEST8.8.8.8192.168.2.50x13d6No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                      Sep 27, 2021 19:44:00.374561071 CEST8.8.8.8192.168.2.50x13d6No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • freegeoip.app
                      • checkip.dyndns.org

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.549741104.21.19.200443C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      TimestampkBytes transferredDirectionData


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.549739216.146.43.7080C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      TimestampkBytes transferredDirectionData
                      Sep 27, 2021 19:43:58.736373901 CEST943OUTGET / HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                      Host: checkip.dyndns.org
                      Connection: Keep-Alive
                      Sep 27, 2021 19:43:58.775068998 CEST943INHTTP/1.1 200 OK
                      Content-Type: text/html
                      Server: DynDNS-CheckIP/1.0.1
                      Connection: close
                      Cache-Control: no-cache
                      Pragma: no-cache
                      Content-Length: 106
                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.189.150.72</body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      2192.168.2.549740216.146.43.7080C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      TimestampkBytes transferredDirectionData
                      Sep 27, 2021 19:43:58.981575012 CEST944OUTGET / HTTP/1.1
                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                      Host: checkip.dyndns.org
                      Sep 27, 2021 19:43:59.020028114 CEST944INHTTP/1.1 200 OK
                      Content-Type: text/html
                      Server: DynDNS-CheckIP/1.0.1
                      Connection: close
                      Cache-Control: no-cache
                      Pragma: no-cache
                      Content-Length: 106
                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 185.189.150.72</body></html>


                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.549741104.21.19.200443C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      TimestampkBytes transferredDirectionData
                      2021-09-27 17:44:01 UTC0OUTGET /xml/185.189.150.72 HTTP/1.1
                      Host: freegeoip.app
                      Connection: Keep-Alive
                      2021-09-27 17:44:02 UTC0INHTTP/1.1 200 OK
                      Date: Mon, 27 Sep 2021 17:44:02 GMT
                      Content-Type: application/xml
                      Content-Length: 350
                      Connection: close
                      vary: Origin
                      x-database-date: Wed, 25 Aug 2021 10:15:20 GMT
                      x-ratelimit-limit: 15000
                      x-ratelimit-remaining: 14998
                      x-ratelimit-reset: 2021
                      CF-Cache-Status: DYNAMIC
                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xnIrddQbAR28rsEF6vjI0LTXIR0OyKzGTsgbVIshtcb6P0qiDek0%2BEApD7d7R2SVsQKvnw5gNulz6f%2BGC0%2FiT7xBCKIc8V2AAdgEuu4piJcU%2BbbAI%2B8dhI0npTANiPvL"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 695689a48d7c3756-MXP
                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                      2021-09-27 17:44:02 UTC0INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 38 35 2e 31 38 39 2e 31 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 43 48 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 53 77 69 74 7a 65 72 6c 61 6e 64 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 5a 48 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 5a 75 72 69 63 68 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 5a 75 72 69 63 68 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 38 30 39 30 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61
                      Data Ascii: <Response><IP>185.189.150.72</IP><CountryCode>CH</CountryCode><CountryName>Switzerland</CountryName><RegionCode>ZH</RegionCode><RegionName>Zurich</RegionName><City>Zurich</City><ZipCode>8090</ZipCode><TimeZone>Europe/Zurich</TimeZone><La


                      Code Manipulations

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      Analysis Process: GU#U00cdA DE CARGA...exe PID: 2848 Parent PID: 900

                      General

                      Start time:19:43:47
                      Start date:27/09/2021
                      Path:C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
                      Imagebase:0x400000
                      File size:325929 bytes
                      MD5 hash:FCCE8F5A7E5FCDF78C02D6543C1AF2BD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.274533096.000000000E800000.00000004.00000001.sdmp, Author: Joe Security
                      Reputation:low

                      Analysis Process: GU#U00cdA DE CARGA...exe PID: 400 Parent PID: 2848

                      General

                      Start time:19:43:49
                      Start date:27/09/2021
                      Path:C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Users\user\Desktop\GU#U00cdA DE CARGA...exe'
                      Imagebase:0x400000
                      File size:325929 bytes
                      MD5 hash:FCCE8F5A7E5FCDF78C02D6543C1AF2BD
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.525379203.00000000047B0000.00000004.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.522534689.0000000000659000.00000004.00000020.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.525193747.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
                      • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.522080443.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.525573044.0000000004832000.00000040.00000001.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000001.270799123.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                      Reputation:low

                      Disassembly

                      Code Analysis

                      Reset < >