Windows Analysis Report
FACTURA-002297.exe

Overview

General Information

Sample name: FACTURA-002297.exe
Analysis ID: 1524995
MD5: e0cdd543f142a8cb51c02d2229f9602d
SHA1: fe357f74ea47ba6319fe68240131f19c9ae2664d
SHA256: 1602325d55a3537877b0a08c80dfd34f69a12b08d10af3b5aec5479fac779283
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: FACTURA-002297.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: FACTURA-002297.exe ReversingLabs: Detection: 13%
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.14765009374.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.13227651588.0000000032B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.14765099123.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: FACTURA-002297.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.251.32.110:443 -> 192.168.11.30:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.81.225:443 -> 192.168.11.30:49805 version: TLS 1.2
Source: FACTURA-002297.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: SecEdit.pdb source: FACTURA-002297.exe, 00000001.00000002.13215535110.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13179961081.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13180075651.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: FACTURA-002297.exe, 00000001.00000001.12705991401.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: SecEdit.pdbGCTL source: FACTURA-002297.exe, 00000001.00000002.13215535110.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13179961081.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13180075651.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: FACTURA-002297.exe, 00000001.00000003.13122847892.0000000032A96000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13126720874.0000000032C4E000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13227773451.0000000032F2D000.00000040.00001000.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13227773451.0000000032E00000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000002.14765387311.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000002.14765387311.0000000002E2D000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000003.13211211466.00000000029A8000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000003.13214921112.0000000002B56000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: FACTURA-002297.exe, FACTURA-002297.exe, 00000001.00000003.13122847892.0000000032A96000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13126720874.0000000032C4E000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13227773451.0000000032F2D000.00000040.00001000.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13227773451.0000000032E00000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, SecEdit.exe, 00000003.00000002.14765387311.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000002.14765387311.0000000002E2D000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000003.13211211466.00000000029A8000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000003.13214921112.0000000002B56000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: FACTURA-002297.exe, 00000001.00000001.12705991401.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_004066F3 FindFirstFileW,FindClose, 0_2_004066F3
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405ABE
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 4x nop then mov ebx, 00000004h 1_2_32B204DE
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 4x nop then mov ebx, 00000004h 2_2_03E0B2C9
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 4x nop then mov ebx, 00000004h 3_2_02B604DE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.30:49804 -> 142.251.32.110:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoP&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: explorer.exe, 00000004.00000000.14699484326.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692188196.00000000093C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17480075054.00000000093C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17505828756.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000004.00000002.17481542953.0000000009497000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14701733772.0000000010890000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692727753.0000000009497000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17511662081.0000000010890000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: FACTURA-002297.exe, 00000001.00000003.12776239317.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123975623.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13124066322.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13215535110.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.12746028479.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123689221.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13180075651.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123533419.0000000002B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: FACTURA-002297.exe, 00000001.00000003.12776239317.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123975623.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13124066322.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13215535110.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.12746028479.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123689221.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13180075651.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123533419.0000000002B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000004.00000000.14699484326.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692188196.00000000093C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17480075054.00000000093C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17505828756.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000002.17481542953.0000000009497000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14701733772.0000000010890000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692727753.0000000009497000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17511662081.0000000010890000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: FACTURA-002297.exe, 00000001.00000001.12705991401.0000000000649000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: FACTURA-002297.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.14701733772.00000000108D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17511662081.00000000108D2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GypD
Source: explorer.exe, 00000004.00000002.17481542953.0000000009497000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14699484326.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692188196.00000000093C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14701733772.0000000010890000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692727753.0000000009497000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17511662081.0000000010890000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17480075054.00000000093C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17505828756.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000000.14699484326.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17500353309.000000000C8F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000C8F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17505828756.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: explorer.exe, 00000004.00000002.17507133801.000000000CE53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14699992004.000000000CE53000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG3.crl
Source: explorer.exe, 00000004.00000002.17486398552.0000000009B70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.17463972278.0000000002EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.17489138860.000000000ACB0000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: FACTURA-002297.exe, 00000001.00000001.12705991401.0000000000649000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.gopher.ftp://ftp.
Source: FACTURA-002297.exe, 00000001.00000001.12705991401.0000000000626000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: FACTURA-002297.exe, 00000001.00000001.12705991401.00000000005F2000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: FACTURA-002297.exe, 00000001.00000001.12705991401.00000000005F2000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: explorer.exe, 00000004.00000000.14692727753.00000000094F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17481542953.00000000094F4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000002.17500353309.000000000C84F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000000.14692727753.00000000094F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17481542953.00000000094F4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000002.17500353309.000000000C810000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000C810000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: FACTURA-002297.exe, 00000001.00000003.12746028479.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: explorer.exe, 00000004.00000000.14692727753.00000000094F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17481542953.00000000094F4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000004.00000000.14697423170.000000000CCDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17500353309.000000000CCDE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/
Source: explorer.exe, 00000004.00000000.14697423170.000000000CCDE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17500353309.000000000CCDE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/F
Source: explorer.exe, 00000004.00000002.17507133801.000000000CE53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14699992004.000000000CE53000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdat
Source: explorer.exe, 00000004.00000002.17480075054.00000000092B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692188196.00000000092B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdat;
Source: explorer.exe, 00000004.00000000.14692188196.00000000092B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/
Source: explorer.exe, 00000004.00000002.17480075054.00000000092B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692188196.00000000092B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/pollensensecity/202409102336/PollenCity.json
Source: explorer.exe, 00000004.00000002.17480075054.00000000092B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692188196.00000000092B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/pollensenserendered/091023/
Source: explorer.exe, 00000004.00000000.14697423170.000000000CA5B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17500353309.000000000CCF3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14702424389.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17512533718.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000CCF3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17500353309.000000000CA5B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svg
Source: explorer.exe, 00000004.00000002.17500353309.000000000CCF3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000CCF3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svg%
Source: explorer.exe, 00000004.00000000.14702424389.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17512533718.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svgY:
Source: explorer.exe, 00000004.00000002.17500353309.000000000C99E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000C99E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/taskbar/icons/earnings/svg/light/blue.svgg
Source: explorer.exe, 00000004.00000002.17500353309.000000000C99E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17500353309.000000000C8F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000C8F6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000C99E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/news/BreakingNews_72x72.svg
Source: explorer.exe, 00000004.00000002.17500353309.000000000C99E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000C99E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/news/BreakingNews_72x72.svgo
Source: explorer.exe, 00000004.00000002.17512301661.0000000010961000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14702229596.0000000010961000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14702424389.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17512533718.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/AQI/uspl04.svg
Source: explorer.exe, 00000004.00000000.14702424389.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17512533718.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/AQI/uspl04.svg4
Source: explorer.exe, 00000004.00000000.14697423170.000000000C99E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlyClearNight.png
Source: explorer.exe, 00000004.00000002.17500353309.000000000C99E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000C99E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000004.00000000.14699484326.000000000CD03000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14697423170.000000000CA5B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17500353309.000000000CA5B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17505828756.000000000CD03000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition_Badge/MostlyClearNig
Source: FACTURA-002297.exe, 00000001.00000002.13215088885.0000000002AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/7
Source: FACTURA-002297.exe, 00000001.00000002.13215088885.0000000002AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/G
Source: FACTURA-002297.exe, 00000001.00000002.13215088885.0000000002AD8000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13215088885.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13226715202.00000000321C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoP
Source: FACTURA-002297.exe, 00000001.00000002.13215088885.0000000002AD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoPd
Source: FACTURA-002297.exe, 00000001.00000002.13215088885.0000000002B2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoPi
Source: FACTURA-002297.exe, 00000001.00000003.12776239317.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123975623.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13124066322.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13215535110.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123689221.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13180075651.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123533419.0000000002B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: FACTURA-002297.exe, 00000001.00000003.12776239317.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123975623.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13124066322.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13215535110.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123689221.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13180075651.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123533419.0000000002B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/?
Source: FACTURA-002297.exe, 00000001.00000003.13123533419.0000000002B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoP&export=download
Source: FACTURA-002297.exe, 00000001.00000002.13215405983.0000000002B3B000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13124152190.0000000002B39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoP&export=download_
Source: FACTURA-002297.exe, 00000001.00000003.12776239317.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123975623.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13124066322.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13215535110.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123689221.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13180075651.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13123533419.0000000002B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1OdgW5jXNxO1G0UZ5n_rUYTHivp-qXwoP&export=downloade
Source: FACTURA-002297.exe, 00000001.00000001.12705991401.0000000000649000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: explorer.exe, 00000004.00000000.14702424389.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17512533718.0000000010A3A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: FACTURA-002297.exe, 00000001.00000003.12746028479.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: FACTURA-002297.exe, 00000001.00000003.12746028479.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: FACTURA-002297.exe, 00000001.00000003.12746028479.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: FACTURA-002297.exe, 00000001.00000003.12746028479.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: FACTURA-002297.exe, 00000001.00000003.12746028479.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: explorer.exe, 00000004.00000002.17480075054.00000000092B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14692188196.00000000092B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a33k6h
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown HTTPS traffic detected: 142.251.32.110:443 -> 192.168.11.30:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.81.225:443 -> 192.168.11.30:49805 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405553

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.14765009374.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.13227651588.0000000032B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.14765099123.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.14765009374.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.13227651588.0000000032B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.14765099123.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E734E0 NtCreateMutant,LdrInitializeThunk, 1_2_32E734E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72BC0 NtQueryInformationToken,LdrInitializeThunk, 1_2_32E72BC0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72B90 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_32E72B90
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72EB0 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_32E72EB0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72D10 NtQuerySystemInformation,LdrInitializeThunk, 1_2_32E72D10
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E74260 NtSetContextThread, 1_2_32E74260
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E74570 NtSuspendThread, 1_2_32E74570
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72AC0 NtEnumerateValueKey, 1_2_32E72AC0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72AA0 NtQueryInformationFile, 1_2_32E72AA0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72A80 NtClose, 1_2_32E72A80
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72A10 NtWriteFile, 1_2_32E72A10
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72BE0 NtQueryVirtualMemory, 1_2_32E72BE0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72B80 NtCreateKey, 1_2_32E72B80
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72B20 NtQueryInformationProcess, 1_2_32E72B20
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72B00 NtQueryValueKey, 1_2_32E72B00
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72B10 NtAllocateVirtualMemory, 1_2_32E72B10
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E738D0 NtGetContextThread, 1_2_32E738D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E729F0 NtReadFile, 1_2_32E729F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E729D0 NtWaitForSingleObject, 1_2_32E729D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72EC0 NtQuerySection, 1_2_32E72EC0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72ED0 NtResumeThread, 1_2_32E72ED0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72E80 NtCreateProcessEx, 1_2_32E72E80
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72E50 NtCreateSection, 1_2_32E72E50
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72E00 NtQueueApcThread, 1_2_32E72E00
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72FB0 NtSetValueKey, 1_2_32E72FB0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72F30 NtOpenDirectoryObject, 1_2_32E72F30
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72F00 NtCreateFile, 1_2_32E72F00
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72CF0 NtDelayExecution, 1_2_32E72CF0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72CD0 NtEnumerateKey, 1_2_32E72CD0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E73C90 NtOpenThread, 1_2_32E73C90
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72C50 NtUnmapViewOfSection, 1_2_32E72C50
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72C20 NtSetInformationFile, 1_2_32E72C20
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E73C30 NtOpenProcessToken, 1_2_32E73C30
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72C30 NtMapViewOfSection, 1_2_32E72C30
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72C10 NtOpenProcess, 1_2_32E72C10
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72DC0 NtAdjustPrivilegesToken, 1_2_32E72DC0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72DA0 NtReadVirtualMemory, 1_2_32E72DA0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72D50 NtWriteVirtualMemory, 1_2_32E72D50
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2F40C NtQueueApcThread, 1_2_32B2F40C
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0EBD0 SleepEx,NtCreateSection, 2_2_03E0EBD0
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0EDD3 SleepEx,NtResumeThread, 2_2_03E0EDD3
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D734E0 NtCreateMutant,LdrInitializeThunk, 3_2_02D734E0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72A80 NtClose,LdrInitializeThunk, 3_2_02D72A80
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72BC0 NtQueryInformationToken,LdrInitializeThunk, 3_2_02D72BC0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72B90 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_02D72B90
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72B80 NtCreateKey,LdrInitializeThunk, 3_2_02D72B80
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72B10 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_02D72B10
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72B00 NtQueryValueKey,LdrInitializeThunk, 3_2_02D72B00
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D729F0 NtReadFile,LdrInitializeThunk, 3_2_02D729F0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72E50 NtCreateSection,LdrInitializeThunk, 3_2_02D72E50
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72F00 NtCreateFile,LdrInitializeThunk, 3_2_02D72F00
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72CF0 NtDelayExecution,LdrInitializeThunk, 3_2_02D72CF0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72C30 NtMapViewOfSection,LdrInitializeThunk, 3_2_02D72C30
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72D10 NtQuerySystemInformation,LdrInitializeThunk, 3_2_02D72D10
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D74260 NtSetContextThread, 3_2_02D74260
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D74570 NtSuspendThread, 3_2_02D74570
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72AC0 NtEnumerateValueKey, 3_2_02D72AC0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72AA0 NtQueryInformationFile, 3_2_02D72AA0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72A10 NtWriteFile, 3_2_02D72A10
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72BE0 NtQueryVirtualMemory, 3_2_02D72BE0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72B20 NtQueryInformationProcess, 3_2_02D72B20
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D738D0 NtGetContextThread, 3_2_02D738D0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D729D0 NtWaitForSingleObject, 3_2_02D729D0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72ED0 NtResumeThread, 3_2_02D72ED0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72EC0 NtQuerySection, 3_2_02D72EC0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72E80 NtCreateProcessEx, 3_2_02D72E80
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72EB0 NtProtectVirtualMemory, 3_2_02D72EB0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72E00 NtQueueApcThread, 3_2_02D72E00
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72FB0 NtSetValueKey, 3_2_02D72FB0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72F30 NtOpenDirectoryObject, 3_2_02D72F30
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72CD0 NtEnumerateKey, 3_2_02D72CD0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D73C90 NtOpenThread, 3_2_02D73C90
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72C50 NtUnmapViewOfSection, 3_2_02D72C50
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72C10 NtOpenProcess, 3_2_02D72C10
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D73C30 NtOpenProcessToken, 3_2_02D73C30
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72C20 NtSetInformationFile, 3_2_02D72C20
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72DC0 NtAdjustPrivilegesToken, 3_2_02D72DC0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72DA0 NtReadVirtualMemory, 3_2_02D72DA0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D72D50 NtWriteVirtualMemory, 3_2_02D72D50
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6EEBA NtQueryInformationProcess, 3_2_02B6EEBA
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B73A48 NtResumeThread, 3_2_02B73A48
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B73728 NtSuspendThread, 3_2_02B73728
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B73408 NtSetContextThread, 3_2_02B73408
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B73D68 NtQueueApcThread, 3_2_02B73D68
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403489
Creates files inside the system directory
Source: C:\Users\user\Desktop\FACTURA-002297.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00404D90 0_2_00404D90
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00406ABA 0_2_00406ABA
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2D2EC 1_2_32E2D2EC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E31380 1_2_32E31380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFF330 1_2_32EFF330
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4E310 1_2_32E4E310
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF70F1 1_2_32EF70F1
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4B0D0 1_2_32E4B0D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E300A0 1_2_32E300A0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E7508C 1_2_32E7508C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEE076 1_2_32EEE076
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5B1E0 1_2_32E5B1E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E451C0 1_2_32E451C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E8717A 1_2_32E8717A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDD130 1_2_32EDD130
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0010E 1_2_32F0010E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3C6E0 1_2_32E3C6E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB36EC 1_2_32EB36EC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFF6F6 1_2_32EFF6F6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E64670 1_2_32E64670
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EED646 1_2_32EED646
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDD62C 1_2_32EDD62C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5C600 1_2_32E5C600
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E42760 1_2_32E42760
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4A760 1_2_32E4A760
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF6757 1_2_32EF6757
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40445 1_2_32E40445
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFF5C9 1_2_32EFF5C9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF75C6 1_2_32EF75C6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0A526 1_2_32F0A526
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5FAA0 1_2_32E5FAA0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFFA89 1_2_32EFFA89
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFEA5B 1_2_32EFEA5B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFCA13 1_2_32EFCA13
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB4BC0 1_2_32EB4BC0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFFB2E 1_2_32EFFB2E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40B10 1_2_32E40B10
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E7DB19 1_2_32E7DB19
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF78F3 1_2_32EF78F3
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E428C0 1_2_32E428C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB98B2 1_2_32EB98B2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E56882 1_2_32E56882
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E26868 1_2_32E26868
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E49870 1_2_32E49870
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5B870 1_2_32E5B870
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFF872 1_2_32EFF872
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EE0835 1_2_32EE0835
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E43800 1_2_32E43800
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E810 1_2_32E6E810
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E859C0 1_2_32E859C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3E9A0 1_2_32E3E9A0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFE9A6 1_2_32EFE9A6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E32EE8 1_2_32E32EE8
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF9ED2 1_2_32EF9ED2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF0EAD 1_2_32EF0EAD
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E41EB2 1_2_32E41EB2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EE0E6D 1_2_32EE0E6D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E82E48 1_2_32E82E48
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E60E50 1_2_32E60E50
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E46FE0 1_2_32E46FE0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF1FC6 1_2_32EF1FC6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFEFBF 1_2_32EFEFBF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFFF63 1_2_32EFFF63
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4CF00 1_2_32E4CF00
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5FCE0 1_2_32E5FCE0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0ACEB 1_2_32F0ACEB
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E58CDF 1_2_32E58CDF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32ED9C98 1_2_32ED9C98
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E43C60 1_2_32E43C60
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF6C69 1_2_32EF6C69
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFEC60 1_2_32EFEC60
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEEC4C 1_2_32EEEC4C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4AC20 1_2_32E4AC20
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E30C12 1_2_32E30C12
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDFDF4 1_2_32EDFDF4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E49DD0 1_2_32E49DD0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E52DB0 1_2_32E52DB0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40D69 1_2_32E40D69
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF7D4C 1_2_32EF7D4C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFFD27 1_2_32EFFD27
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3AD00 1_2_32E3AD00
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2E307 1_2_32B2E307
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2C9B3 1_2_32B2C9B3
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2E1E8 1_2_32B2E1E8
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2E69D 1_2_32B2E69D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2D708 1_2_32B2D708
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2E46D 1_2_32B2E46D
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E18FD3 2_2_03E18FD3
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E1779E 2_2_03E1779E
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E19258 2_2_03E19258
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E184F3 2_2_03E184F3
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E190F2 2_2_03E190F2
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E19488 2_2_03E19488
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D2D2EC 3_2_02D2D2EC
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D31380 3_2_02D31380
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D4E310 3_2_02D4E310
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFF330 3_2_02DFF330
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D4B0D0 3_2_02D4B0D0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DF70F1 3_2_02DF70F1
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D7508C 3_2_02D7508C
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D300A0 3_2_02D300A0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DEE076 3_2_02DEE076
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D451C0 3_2_02D451C0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D5B1E0 3_2_02D5B1E0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D8717A 3_2_02D8717A
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D2F113 3_2_02D2F113
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DDD130 3_2_02DDD130
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02E0010E 3_2_02E0010E
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFF6F6 3_2_02DFF6F6
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D3C6E0 3_2_02D3C6E0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DB36EC 3_2_02DB36EC
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D40680 3_2_02D40680
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DED646 3_2_02DED646
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D64670 3_2_02D64670
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D5C600 3_2_02D5C600
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DDD62C 3_2_02DDD62C
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DF6757 3_2_02DF6757
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D42760 3_2_02D42760
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D4A760 3_2_02D4A760
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DAD480 3_2_02DAD480
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D40445 3_2_02D40445
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFF5C9 3_2_02DFF5C9
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DF75C6 3_2_02DF75C6
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02E0A526 3_2_02E0A526
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFFA89 3_2_02DFFA89
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D5FAA0 3_2_02D5FAA0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFEA5B 3_2_02DFEA5B
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFCA13 3_2_02DFCA13
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DB4BC0 3_2_02DB4BC0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D40B10 3_2_02D40B10
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D7DB19 3_2_02D7DB19
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFFB2E 3_2_02DFFB2E
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D428C0 3_2_02D428C0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DF78F3 3_2_02DF78F3
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D56882 3_2_02D56882
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DB98B2 3_2_02DB98B2
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D49870 3_2_02D49870
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D5B870 3_2_02D5B870
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFF872 3_2_02DFF872
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D26868 3_2_02D26868
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D6E810 3_2_02D6E810
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D43800 3_2_02D43800
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DE0835 3_2_02DE0835
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D859C0 3_2_02D859C0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D3E9A0 3_2_02D3E9A0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFE9A6 3_2_02DFE9A6
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DF9ED2 3_2_02DF9ED2
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D32EE8 3_2_02D32EE8
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D41EB2 3_2_02D41EB2
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DF0EAD 3_2_02DF0EAD
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D60E50 3_2_02D60E50
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D82E48 3_2_02D82E48
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DE0E6D 3_2_02DE0E6D
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DF1FC6 3_2_02DF1FC6
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D46FE0 3_2_02D46FE0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFEFBF 3_2_02DFEFBF
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFFF63 3_2_02DFFF63
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D4CF00 3_2_02D4CF00
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D58CDF 3_2_02D58CDF
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02E0ACEB 3_2_02E0ACEB
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D5FCE0 3_2_02D5FCE0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DD9C98 3_2_02DD9C98
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DEEC4C 3_2_02DEEC4C
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D43C60 3_2_02D43C60
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DF6C69 3_2_02DF6C69
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFEC60 3_2_02DFEC60
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D30C12 3_2_02D30C12
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D4AC20 3_2_02D4AC20
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D49DD0 3_2_02D49DD0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DDFDF4 3_2_02DDFDF4
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D52DB0 3_2_02D52DB0
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DF7D4C 3_2_02DF7D4C
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D40D69 3_2_02D40D69
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D3AD00 3_2_02D3AD00
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02DFFD27 3_2_02DFFD27
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6EEBA 3_2_02B6EEBA
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6E307 3_2_02B6E307
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6C9B3 3_2_02B6C9B3
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6E1E8 3_2_02B6E1E8
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6E69D 3_2_02B6E69D
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6D708 3_2_02B6D708
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6E46D 3_2_02B6E46D
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: String function: 32E87BE4 appears 88 times
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: String function: 32EAE692 appears 84 times
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: String function: 32E75050 appears 35 times
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: String function: 32E2B910 appears 265 times
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: String function: 32EBEF10 appears 104 times
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: String function: 02DAE692 appears 85 times
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: String function: 02D2B910 appears 267 times
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: String function: 02D75050 appears 35 times
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: String function: 02D87BE4 appears 88 times
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: String function: 02DBEF10 appears 105 times
PE / OLE file has an invalid certificate
Source: FACTURA-002297.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: FACTURA-002297.exe, 00000000.00000002.12779867343.0000000000457000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameloyaliteters radierne.exeR vs FACTURA-002297.exe
Source: FACTURA-002297.exe, 00000001.00000003.13126720874.0000000032D7B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs FACTURA-002297.exe
Source: FACTURA-002297.exe, 00000001.00000003.13179961081.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSeCEditj% vs FACTURA-002297.exe
Source: FACTURA-002297.exe, 00000001.00000002.13227773451.0000000032F2D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs FACTURA-002297.exe
Source: FACTURA-002297.exe, 00000001.00000003.13179961081.0000000002BAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSeCEditj% vs FACTURA-002297.exe
Source: FACTURA-002297.exe, 00000001.00000000.12705303582.0000000000457000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameloyaliteters radierne.exeR vs FACTURA-002297.exe
Source: FACTURA-002297.exe, 00000001.00000002.13227773451.00000000330D0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs FACTURA-002297.exe
Source: FACTURA-002297.exe, 00000001.00000003.13122847892.0000000032BB9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs FACTURA-002297.exe
Source: FACTURA-002297.exe Binary or memory string: OriginalFilenameloyaliteters radierne.exeR vs FACTURA-002297.exe
Uses 32bit PE files
Source: FACTURA-002297.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000003.00000002.14765009374.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.13227651588.0000000032B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.14765099123.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/8@2/2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403489
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404814
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_004020FE CoCreateInstance, 0_2_004020FE
Source: C:\Users\user\Desktop\FACTURA-002297.exe File created: C:\Users\user\AppData\Local\Temp\nsyC9F2.tmp Jump to behavior
Source: FACTURA-002297.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FACTURA-002297.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: FACTURA-002297.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\FACTURA-002297.exe File read: C:\Users\user\Desktop\FACTURA-002297.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FACTURA-002297.exe "C:\Users\user\Desktop\FACTURA-002297.exe"
Source: C:\Users\user\Desktop\FACTURA-002297.exe Process created: C:\Users\user\Desktop\FACTURA-002297.exe "C:\Users\user\Desktop\FACTURA-002297.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"
Source: C:\Users\user\Desktop\FACTURA-002297.exe Process created: C:\Users\user\Desktop\FACTURA-002297.exe "C:\Users\user\Desktop\FACTURA-002297.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe" Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe Section loaded: scecli.dll Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Gaulin.ini Jump to behavior
Source: FACTURA-002297.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: SecEdit.pdb source: FACTURA-002297.exe, 00000001.00000002.13215535110.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13179961081.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13180075651.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: FACTURA-002297.exe, 00000001.00000001.12705991401.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source: Binary string: SecEdit.pdbGCTL source: FACTURA-002297.exe, 00000001.00000002.13215535110.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13179961081.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13180075651.0000000002B5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: FACTURA-002297.exe, 00000001.00000003.13122847892.0000000032A96000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13126720874.0000000032C4E000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13227773451.0000000032F2D000.00000040.00001000.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13227773451.0000000032E00000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000002.14765387311.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000002.14765387311.0000000002E2D000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000003.13211211466.00000000029A8000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000003.13214921112.0000000002B56000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: FACTURA-002297.exe, FACTURA-002297.exe, 00000001.00000003.13122847892.0000000032A96000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000003.13126720874.0000000032C4E000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13227773451.0000000032F2D000.00000040.00001000.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13227773451.0000000032E00000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, SecEdit.exe, 00000003.00000002.14765387311.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000002.14765387311.0000000002E2D000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000003.13211211466.00000000029A8000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 00000003.00000003.13214921112.0000000002B56000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: FACTURA-002297.exe, 00000001.00000001.12705991401.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.12781637657.000000000332A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E308CD push ecx; mov dword ptr [esp], ecx 1_2_32E308D6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B24AD6 push esp; retf 1_2_32B24AAD
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B24A0A push esp; retf 1_2_32B24AAD
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2C8AA push esi; iretd 1_2_32B2C8AD
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2B89A pushfd ; ret 1_2_32B2B8B2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B2B828 pushfd ; ret 1_2_32B2B8B2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B23E36 push edi; ret 1_2_32B23E38
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B24657 push ecx; ret 1_2_32B24674
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B24643 push ecx; ret 1_2_32B24674
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B24407 pushfd ; ret 1_2_32B24408
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B20DB3 push ebx; iretd 1_2_32B20DB4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32B20DD3 push ds; ret 1_2_32B20DD4
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0F7F5 push esp; retf 2_2_03E0F898
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0BBBE push ds; ret 2_2_03E0BBBF
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0BB9E push ebx; iretd 2_2_03E0BB9F
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E16685 pushfd ; ret 2_2_03E1669D
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E17695 push esi; iretd 2_2_03E17698
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E16613 pushfd ; ret 2_2_03E1669D
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0F1F2 pushfd ; ret 2_2_03E0F1F3
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0F8C1 push esp; retf 2_2_03E0F898
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0F442 push ecx; ret 2_2_03E0F45F
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0EC21 push edi; ret 2_2_03E0EC23
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 2_2_03E0F42E push ecx; ret 2_2_03E0F45F
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02D308CD push ecx; mov dword ptr [esp], ecx 3_2_02D308D6
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6B2B8 push edi; retf 42F6h 3_2_02B6B325
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B64AD6 push esp; retf 3_2_02B64AAD
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B64A0A push esp; retf 3_2_02B64AAD
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6C8AA push esi; iretd 3_2_02B6C8AD
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B6B89A pushfd ; ret 3_2_02B6B8B2
Source: C:\Windows\SysWOW64\SecEdit.exe Code function: 3_2_02B75032 push eax; ret 3_2_02B75034
Drops PE files
Source: C:\Users\user\Desktop\FACTURA-002297.exe File created: C:\Users\user\AppData\Local\Temp\nsqD01E.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\FACTURA-002297.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\FACTURA-002297.exe API/Special instruction interceptor: Address: 35B9EFF
Source: C:\Users\user\Desktop\FACTURA-002297.exe API/Special instruction interceptor: Address: 19F9EFF
Source: C:\Users\user\Desktop\FACTURA-002297.exe API/Special instruction interceptor: Address: 7FFB6E7D0594
Source: C:\Users\user\Desktop\FACTURA-002297.exe API/Special instruction interceptor: Address: 7FFB6E7CFF74
Source: C:\Users\user\Desktop\FACTURA-002297.exe API/Special instruction interceptor: Address: 7FFB6E7CD6C4
Source: C:\Users\user\Desktop\FACTURA-002297.exe API/Special instruction interceptor: Address: 7FFB6E7CD864
Source: C:\Windows\SysWOW64\SecEdit.exe API/Special instruction interceptor: Address: 7FFB6E7CD144
Source: C:\Windows\SysWOW64\SecEdit.exe API/Special instruction interceptor: Address: 7FFB6E7D0594
Source: C:\Windows\SysWOW64\SecEdit.exe API/Special instruction interceptor: Address: 7FFB6E7CD764
Source: C:\Windows\SysWOW64\SecEdit.exe API/Special instruction interceptor: Address: 7FFB6E7CD324
Source: C:\Windows\SysWOW64\SecEdit.exe API/Special instruction interceptor: Address: 7FFB6E7CD364
Source: C:\Windows\SysWOW64\SecEdit.exe API/Special instruction interceptor: Address: 7FFB6E7CD004
Source: C:\Windows\SysWOW64\SecEdit.exe API/Special instruction interceptor: Address: 7FFB6E7CFF74
Source: C:\Windows\SysWOW64\SecEdit.exe API/Special instruction interceptor: Address: 7FFB6E7CD6C4
Source: C:\Windows\SysWOW64\SecEdit.exe API/Special instruction interceptor: Address: 7FFB6E7CD864
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71763 rdtsc 1_2_32E71763
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\SecEdit.exe Window / User API: threadDelayed 9852 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 887 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\FACTURA-002297.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqD01E.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\FACTURA-002297.exe API coverage: 0.3 %
Source: C:\Windows\SysWOW64\SecEdit.exe API coverage: 1.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 4524 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 4524 Thread sleep time: -244000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 4524 Thread sleep count: 9852 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe TID: 4524 Thread sleep time: -19704000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\SecEdit.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\SecEdit.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_004066F3 FindFirstFileW,FindClose, 0_2_004066F3
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405ABE
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00402862 FindFirstFileW, 0_2_00402862
Source: SecEdit.exe, 00000003.00000002.14764686330.000000000277D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#'
Source: explorer.exe, 00000004.00000000.14692727753.00000000094F4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17481542953.00000000094F4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: FACTURA-002297.exe, 00000001.00000003.13124152190.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, FACTURA-002297.exe, 00000001.00000002.13215405983.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.14699484326.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17505828756.000000000CDDB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: FACTURA-002297.exe, 00000001.00000002.13215088885.0000000002AD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: C:\Users\user\Desktop\FACTURA-002297.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FACTURA-002297.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\SecEdit.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\SecEdit.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71763 rdtsc 1_2_32E71763
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E734E0 NtCreateMutant,LdrInitializeThunk, 1_2_32E734E0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_10001B18
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E272E0 mov eax, dword ptr fs:[00000030h] 1_2_32E272E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A2E0 mov eax, dword ptr fs:[00000030h] 1_2_32E3A2E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A2E0 mov eax, dword ptr fs:[00000030h] 1_2_32E3A2E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A2E0 mov eax, dword ptr fs:[00000030h] 1_2_32E3A2E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A2E0 mov eax, dword ptr fs:[00000030h] 1_2_32E3A2E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A2E0 mov eax, dword ptr fs:[00000030h] 1_2_32E3A2E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A2E0 mov eax, dword ptr fs:[00000030h] 1_2_32E3A2E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E382E0 mov eax, dword ptr fs:[00000030h] 1_2_32E382E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E382E0 mov eax, dword ptr fs:[00000030h] 1_2_32E382E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E382E0 mov eax, dword ptr fs:[00000030h] 1_2_32E382E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E382E0 mov eax, dword ptr fs:[00000030h] 1_2_32E382E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2D2EC mov eax, dword ptr fs:[00000030h] 1_2_32E2D2EC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2D2EC mov eax, dword ptr fs:[00000030h] 1_2_32E2D2EC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E402F9 mov eax, dword ptr fs:[00000030h] 1_2_32E402F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E402F9 mov eax, dword ptr fs:[00000030h] 1_2_32E402F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E402F9 mov eax, dword ptr fs:[00000030h] 1_2_32E402F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E402F9 mov eax, dword ptr fs:[00000030h] 1_2_32E402F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E402F9 mov eax, dword ptr fs:[00000030h] 1_2_32E402F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E402F9 mov eax, dword ptr fs:[00000030h] 1_2_32E402F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E402F9 mov eax, dword ptr fs:[00000030h] 1_2_32E402F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E402F9 mov eax, dword ptr fs:[00000030h] 1_2_32E402F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E532C5 mov eax, dword ptr fs:[00000030h] 1_2_32E532C5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F032C9 mov eax, dword ptr fs:[00000030h] 1_2_32F032C9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF2AE mov eax, dword ptr fs:[00000030h] 1_2_32EEF2AE
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF92AB mov eax, dword ptr fs:[00000030h] 1_2_32EF92AB
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E542AF mov eax, dword ptr fs:[00000030h] 1_2_32E542AF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E542AF mov eax, dword ptr fs:[00000030h] 1_2_32E542AF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0B2BC mov eax, dword ptr fs:[00000030h] 1_2_32F0B2BC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0B2BC mov eax, dword ptr fs:[00000030h] 1_2_32F0B2BC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0B2BC mov eax, dword ptr fs:[00000030h] 1_2_32F0B2BC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0B2BC mov eax, dword ptr fs:[00000030h] 1_2_32F0B2BC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E292AF mov eax, dword ptr fs:[00000030h] 1_2_32E292AF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2C2B0 mov ecx, dword ptr fs:[00000030h] 1_2_32E2C2B0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE289 mov eax, dword ptr fs:[00000030h] 1_2_32EAE289
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E37290 mov eax, dword ptr fs:[00000030h] 1_2_32E37290
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E37290 mov eax, dword ptr fs:[00000030h] 1_2_32E37290
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E37290 mov eax, dword ptr fs:[00000030h] 1_2_32E37290
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B273 mov eax, dword ptr fs:[00000030h] 1_2_32E2B273
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B273 mov eax, dword ptr fs:[00000030h] 1_2_32E2B273
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B273 mov eax, dword ptr fs:[00000030h] 1_2_32E2B273
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC327E mov eax, dword ptr fs:[00000030h] 1_2_32EC327E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC327E mov eax, dword ptr fs:[00000030h] 1_2_32EC327E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC327E mov eax, dword ptr fs:[00000030h] 1_2_32EC327E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC327E mov eax, dword ptr fs:[00000030h] 1_2_32EC327E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC327E mov eax, dword ptr fs:[00000030h] 1_2_32EC327E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC327E mov eax, dword ptr fs:[00000030h] 1_2_32EC327E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EED270 mov eax, dword ptr fs:[00000030h] 1_2_32EED270
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF247 mov eax, dword ptr fs:[00000030h] 1_2_32EEF247
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F24A mov eax, dword ptr fs:[00000030h] 1_2_32E5F24A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB0227 mov eax, dword ptr fs:[00000030h] 1_2_32EB0227
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB0227 mov eax, dword ptr fs:[00000030h] 1_2_32EB0227
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB0227 mov eax, dword ptr fs:[00000030h] 1_2_32EB0227
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6A22B mov eax, dword ptr fs:[00000030h] 1_2_32E6A22B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6A22B mov eax, dword ptr fs:[00000030h] 1_2_32E6A22B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6A22B mov eax, dword ptr fs:[00000030h] 1_2_32E6A22B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E50230 mov ecx, dword ptr fs:[00000030h] 1_2_32E50230
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2A200 mov eax, dword ptr fs:[00000030h] 1_2_32E2A200
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2821B mov eax, dword ptr fs:[00000030h] 1_2_32E2821B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBB214 mov eax, dword ptr fs:[00000030h] 1_2_32EBB214
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBB214 mov eax, dword ptr fs:[00000030h] 1_2_32EBB214
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2E3C0 mov eax, dword ptr fs:[00000030h] 1_2_32E2E3C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2E3C0 mov eax, dword ptr fs:[00000030h] 1_2_32E2E3C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2E3C0 mov eax, dword ptr fs:[00000030h] 1_2_32E2E3C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2C3C7 mov eax, dword ptr fs:[00000030h] 1_2_32E2C3C7
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E363CB mov eax, dword ptr fs:[00000030h] 1_2_32E363CB
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E633D0 mov eax, dword ptr fs:[00000030h] 1_2_32E633D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E643D0 mov ecx, dword ptr fs:[00000030h] 1_2_32E643D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB43D5 mov eax, dword ptr fs:[00000030h] 1_2_32EB43D5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E393A6 mov eax, dword ptr fs:[00000030h] 1_2_32E393A6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E393A6 mov eax, dword ptr fs:[00000030h] 1_2_32E393A6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAC3B0 mov eax, dword ptr fs:[00000030h] 1_2_32EAC3B0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E31380 mov eax, dword ptr fs:[00000030h] 1_2_32E31380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E31380 mov eax, dword ptr fs:[00000030h] 1_2_32E31380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E31380 mov eax, dword ptr fs:[00000030h] 1_2_32E31380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E31380 mov eax, dword ptr fs:[00000030h] 1_2_32E31380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E31380 mov eax, dword ptr fs:[00000030h] 1_2_32E31380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4F380 mov eax, dword ptr fs:[00000030h] 1_2_32E4F380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4F380 mov eax, dword ptr fs:[00000030h] 1_2_32E4F380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4F380 mov eax, dword ptr fs:[00000030h] 1_2_32E4F380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4F380 mov eax, dword ptr fs:[00000030h] 1_2_32E4F380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4F380 mov eax, dword ptr fs:[00000030h] 1_2_32E4F380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4F380 mov eax, dword ptr fs:[00000030h] 1_2_32E4F380
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF38A mov eax, dword ptr fs:[00000030h] 1_2_32EEF38A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5A390 mov eax, dword ptr fs:[00000030h] 1_2_32E5A390
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5A390 mov eax, dword ptr fs:[00000030h] 1_2_32E5A390
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5A390 mov eax, dword ptr fs:[00000030h] 1_2_32E5A390
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3B360 mov eax, dword ptr fs:[00000030h] 1_2_32E3B360
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3B360 mov eax, dword ptr fs:[00000030h] 1_2_32E3B360
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3B360 mov eax, dword ptr fs:[00000030h] 1_2_32E3B360
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3B360 mov eax, dword ptr fs:[00000030h] 1_2_32E3B360
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3B360 mov eax, dword ptr fs:[00000030h] 1_2_32E3B360
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3B360 mov eax, dword ptr fs:[00000030h] 1_2_32E3B360
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E363 mov eax, dword ptr fs:[00000030h] 1_2_32E6E363
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E363 mov eax, dword ptr fs:[00000030h] 1_2_32E6E363
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E363 mov eax, dword ptr fs:[00000030h] 1_2_32E6E363
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E363 mov eax, dword ptr fs:[00000030h] 1_2_32E6E363
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E363 mov eax, dword ptr fs:[00000030h] 1_2_32E6E363
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E363 mov eax, dword ptr fs:[00000030h] 1_2_32E6E363
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E363 mov eax, dword ptr fs:[00000030h] 1_2_32E6E363
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E363 mov eax, dword ptr fs:[00000030h] 1_2_32E6E363
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE372 mov eax, dword ptr fs:[00000030h] 1_2_32EAE372
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE372 mov eax, dword ptr fs:[00000030h] 1_2_32EAE372
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE372 mov eax, dword ptr fs:[00000030h] 1_2_32EAE372
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE372 mov eax, dword ptr fs:[00000030h] 1_2_32EAE372
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB0371 mov eax, dword ptr fs:[00000030h] 1_2_32EB0371
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB0371 mov eax, dword ptr fs:[00000030h] 1_2_32EB0371
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5237A mov eax, dword ptr fs:[00000030h] 1_2_32E5237A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E28347 mov eax, dword ptr fs:[00000030h] 1_2_32E28347
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E28347 mov eax, dword ptr fs:[00000030h] 1_2_32E28347
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E28347 mov eax, dword ptr fs:[00000030h] 1_2_32E28347
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6A350 mov eax, dword ptr fs:[00000030h] 1_2_32E6A350
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E68322 mov eax, dword ptr fs:[00000030h] 1_2_32E68322
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E68322 mov eax, dword ptr fs:[00000030h] 1_2_32E68322
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E68322 mov eax, dword ptr fs:[00000030h] 1_2_32E68322
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F03336 mov eax, dword ptr fs:[00000030h] 1_2_32F03336
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5332D mov eax, dword ptr fs:[00000030h] 1_2_32E5332D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2E328 mov eax, dword ptr fs:[00000030h] 1_2_32E2E328
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2E328 mov eax, dword ptr fs:[00000030h] 1_2_32E2E328
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2E328 mov eax, dword ptr fs:[00000030h] 1_2_32E2E328
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E29303 mov eax, dword ptr fs:[00000030h] 1_2_32E29303
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E29303 mov eax, dword ptr fs:[00000030h] 1_2_32E29303
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF30A mov eax, dword ptr fs:[00000030h] 1_2_32EEF30A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB330C mov eax, dword ptr fs:[00000030h] 1_2_32EB330C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB330C mov eax, dword ptr fs:[00000030h] 1_2_32EB330C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB330C mov eax, dword ptr fs:[00000030h] 1_2_32EB330C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB330C mov eax, dword ptr fs:[00000030h] 1_2_32EB330C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4E310 mov eax, dword ptr fs:[00000030h] 1_2_32E4E310
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4E310 mov eax, dword ptr fs:[00000030h] 1_2_32E4E310
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4E310 mov eax, dword ptr fs:[00000030h] 1_2_32E4E310
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6631F mov eax, dword ptr fs:[00000030h] 1_2_32E6631F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2C0F6 mov eax, dword ptr fs:[00000030h] 1_2_32E2C0F6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6D0F0 mov eax, dword ptr fs:[00000030h] 1_2_32E6D0F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6D0F0 mov ecx, dword ptr fs:[00000030h] 1_2_32E6D0F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E290F8 mov eax, dword ptr fs:[00000030h] 1_2_32E290F8
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E290F8 mov eax, dword ptr fs:[00000030h] 1_2_32E290F8
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E290F8 mov eax, dword ptr fs:[00000030h] 1_2_32E290F8
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E290F8 mov eax, dword ptr fs:[00000030h] 1_2_32E290F8
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4B0D0 mov eax, dword ptr fs:[00000030h] 1_2_32E4B0D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B0D6 mov eax, dword ptr fs:[00000030h] 1_2_32E2B0D6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B0D6 mov eax, dword ptr fs:[00000030h] 1_2_32E2B0D6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B0D6 mov eax, dword ptr fs:[00000030h] 1_2_32E2B0D6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B0D6 mov eax, dword ptr fs:[00000030h] 1_2_32E2B0D6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEB0AF mov eax, dword ptr fs:[00000030h] 1_2_32EEB0AF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E700A5 mov eax, dword ptr fs:[00000030h] 1_2_32E700A5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F050B7 mov eax, dword ptr fs:[00000030h] 1_2_32F050B7
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDF0A5 mov eax, dword ptr fs:[00000030h] 1_2_32EDF0A5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDF0A5 mov eax, dword ptr fs:[00000030h] 1_2_32EDF0A5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDF0A5 mov eax, dword ptr fs:[00000030h] 1_2_32EDF0A5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDF0A5 mov eax, dword ptr fs:[00000030h] 1_2_32EDF0A5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDF0A5 mov eax, dword ptr fs:[00000030h] 1_2_32EDF0A5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDF0A5 mov eax, dword ptr fs:[00000030h] 1_2_32EDF0A5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDF0A5 mov eax, dword ptr fs:[00000030h] 1_2_32EDF0A5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F04080 mov eax, dword ptr fs:[00000030h] 1_2_32F04080
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F04080 mov eax, dword ptr fs:[00000030h] 1_2_32F04080
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F04080 mov eax, dword ptr fs:[00000030h] 1_2_32F04080
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F04080 mov eax, dword ptr fs:[00000030h] 1_2_32F04080
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F04080 mov eax, dword ptr fs:[00000030h] 1_2_32F04080
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F04080 mov eax, dword ptr fs:[00000030h] 1_2_32F04080
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F04080 mov eax, dword ptr fs:[00000030h] 1_2_32F04080
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2A093 mov ecx, dword ptr fs:[00000030h] 1_2_32E2A093
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2C090 mov eax, dword ptr fs:[00000030h] 1_2_32E2C090
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32ED9060 mov eax, dword ptr fs:[00000030h] 1_2_32ED9060
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E37072 mov eax, dword ptr fs:[00000030h] 1_2_32E37072
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E36074 mov eax, dword ptr fs:[00000030h] 1_2_32E36074
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E36074 mov eax, dword ptr fs:[00000030h] 1_2_32E36074
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E60044 mov eax, dword ptr fs:[00000030h] 1_2_32E60044
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0505B mov eax, dword ptr fs:[00000030h] 1_2_32F0505B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E31051 mov eax, dword ptr fs:[00000030h] 1_2_32E31051
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E31051 mov eax, dword ptr fs:[00000030h] 1_2_32E31051
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2D02D mov eax, dword ptr fs:[00000030h] 1_2_32E2D02D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E55004 mov eax, dword ptr fs:[00000030h] 1_2_32E55004
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E55004 mov ecx, dword ptr fs:[00000030h] 1_2_32E55004
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E38009 mov eax, dword ptr fs:[00000030h] 1_2_32E38009
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72010 mov ecx, dword ptr fs:[00000030h] 1_2_32E72010
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A1E3 mov eax, dword ptr fs:[00000030h] 1_2_32E3A1E3
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A1E3 mov eax, dword ptr fs:[00000030h] 1_2_32E3A1E3
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A1E3 mov eax, dword ptr fs:[00000030h] 1_2_32E3A1E3
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A1E3 mov eax, dword ptr fs:[00000030h] 1_2_32E3A1E3
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3A1E3 mov eax, dword ptr fs:[00000030h] 1_2_32E3A1E3
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF81EE mov eax, dword ptr fs:[00000030h] 1_2_32EF81EE
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF81EE mov eax, dword ptr fs:[00000030h] 1_2_32EF81EE
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5B1E0 mov eax, dword ptr fs:[00000030h] 1_2_32E5B1E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5B1E0 mov eax, dword ptr fs:[00000030h] 1_2_32E5B1E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5B1E0 mov eax, dword ptr fs:[00000030h] 1_2_32E5B1E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5B1E0 mov eax, dword ptr fs:[00000030h] 1_2_32E5B1E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5B1E0 mov eax, dword ptr fs:[00000030h] 1_2_32E5B1E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5B1E0 mov eax, dword ptr fs:[00000030h] 1_2_32E5B1E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5B1E0 mov eax, dword ptr fs:[00000030h] 1_2_32E5B1E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E391E5 mov eax, dword ptr fs:[00000030h] 1_2_32E391E5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E391E5 mov eax, dword ptr fs:[00000030h] 1_2_32E391E5
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E281EB mov eax, dword ptr fs:[00000030h] 1_2_32E281EB
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E291F0 mov eax, dword ptr fs:[00000030h] 1_2_32E291F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E291F0 mov eax, dword ptr fs:[00000030h] 1_2_32E291F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E401F1 mov eax, dword ptr fs:[00000030h] 1_2_32E401F1
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E401F1 mov eax, dword ptr fs:[00000030h] 1_2_32E401F1
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E401F1 mov eax, dword ptr fs:[00000030h] 1_2_32E401F1
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F1F0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F1F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F1F0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F1F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E401C0 mov eax, dword ptr fs:[00000030h] 1_2_32E401C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E401C0 mov eax, dword ptr fs:[00000030h] 1_2_32E401C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E451C0 mov eax, dword ptr fs:[00000030h] 1_2_32E451C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E451C0 mov eax, dword ptr fs:[00000030h] 1_2_32E451C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E451C0 mov eax, dword ptr fs:[00000030h] 1_2_32E451C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E451C0 mov eax, dword ptr fs:[00000030h] 1_2_32E451C0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E1A4 mov eax, dword ptr fs:[00000030h] 1_2_32E6E1A4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E1A4 mov eax, dword ptr fs:[00000030h] 1_2_32E6E1A4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F051B6 mov eax, dword ptr fs:[00000030h] 1_2_32F051B6
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E631BE mov eax, dword ptr fs:[00000030h] 1_2_32E631BE
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E631BE mov eax, dword ptr fs:[00000030h] 1_2_32E631BE
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E641BB mov ecx, dword ptr fs:[00000030h] 1_2_32E641BB
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E641BB mov eax, dword ptr fs:[00000030h] 1_2_32E641BB
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E641BB mov eax, dword ptr fs:[00000030h] 1_2_32E641BB
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E34180 mov eax, dword ptr fs:[00000030h] 1_2_32E34180
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E34180 mov eax, dword ptr fs:[00000030h] 1_2_32E34180
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E34180 mov eax, dword ptr fs:[00000030h] 1_2_32E34180
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E59194 mov eax, dword ptr fs:[00000030h] 1_2_32E59194
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71190 mov eax, dword ptr fs:[00000030h] 1_2_32E71190
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71190 mov eax, dword ptr fs:[00000030h] 1_2_32E71190
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6716D mov eax, dword ptr fs:[00000030h] 1_2_32E6716D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E8717A mov eax, dword ptr fs:[00000030h] 1_2_32E8717A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E8717A mov eax, dword ptr fs:[00000030h] 1_2_32E8717A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E36179 mov eax, dword ptr fs:[00000030h] 1_2_32E36179
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2A147 mov eax, dword ptr fs:[00000030h] 1_2_32E2A147
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2A147 mov eax, dword ptr fs:[00000030h] 1_2_32E2A147
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2A147 mov eax, dword ptr fs:[00000030h] 1_2_32E2A147
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC314A mov eax, dword ptr fs:[00000030h] 1_2_32EC314A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC314A mov eax, dword ptr fs:[00000030h] 1_2_32EC314A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC314A mov eax, dword ptr fs:[00000030h] 1_2_32EC314A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC314A mov eax, dword ptr fs:[00000030h] 1_2_32EC314A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F03157 mov eax, dword ptr fs:[00000030h] 1_2_32F03157
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F03157 mov eax, dword ptr fs:[00000030h] 1_2_32F03157
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F03157 mov eax, dword ptr fs:[00000030h] 1_2_32F03157
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F05149 mov eax, dword ptr fs:[00000030h] 1_2_32F05149
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6415F mov eax, dword ptr fs:[00000030h] 1_2_32E6415F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E67128 mov eax, dword ptr fs:[00000030h] 1_2_32E67128
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E67128 mov eax, dword ptr fs:[00000030h] 1_2_32E67128
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF13E mov eax, dword ptr fs:[00000030h] 1_2_32EEF13E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBA130 mov eax, dword ptr fs:[00000030h] 1_2_32EBA130
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5510F mov eax, dword ptr fs:[00000030h] 1_2_32E5510F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3510D mov eax, dword ptr fs:[00000030h] 1_2_32E3510D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F113 mov eax, dword ptr fs:[00000030h] 1_2_32E2F113
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E60118 mov eax, dword ptr fs:[00000030h] 1_2_32E60118
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E296E0 mov eax, dword ptr fs:[00000030h] 1_2_32E296E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E296E0 mov eax, dword ptr fs:[00000030h] 1_2_32E296E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3C6E0 mov eax, dword ptr fs:[00000030h] 1_2_32E3C6E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E356E0 mov eax, dword ptr fs:[00000030h] 1_2_32E356E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E356E0 mov eax, dword ptr fs:[00000030h] 1_2_32E356E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E356E0 mov eax, dword ptr fs:[00000030h] 1_2_32E356E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E566E0 mov eax, dword ptr fs:[00000030h] 1_2_32E566E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E566E0 mov eax, dword ptr fs:[00000030h] 1_2_32E566E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAC6F2 mov eax, dword ptr fs:[00000030h] 1_2_32EAC6F2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAC6F2 mov eax, dword ptr fs:[00000030h] 1_2_32EAC6F2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E306CF mov eax, dword ptr fs:[00000030h] 1_2_32E306CF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32ED86C2 mov eax, dword ptr fs:[00000030h] 1_2_32ED86C2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5D6D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5D6D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF86A8 mov eax, dword ptr fs:[00000030h] 1_2_32EF86A8
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EF86A8 mov eax, dword ptr fs:[00000030h] 1_2_32EF86A8
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF68C mov eax, dword ptr fs:[00000030h] 1_2_32EEF68C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40680 mov eax, dword ptr fs:[00000030h] 1_2_32E40680
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E38690 mov eax, dword ptr fs:[00000030h] 1_2_32E38690
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBC691 mov eax, dword ptr fs:[00000030h] 1_2_32EBC691
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E27662 mov eax, dword ptr fs:[00000030h] 1_2_32E27662
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E27662 mov eax, dword ptr fs:[00000030h] 1_2_32E27662
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E27662 mov eax, dword ptr fs:[00000030h] 1_2_32E27662
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E43660 mov eax, dword ptr fs:[00000030h] 1_2_32E43660
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E43660 mov eax, dword ptr fs:[00000030h] 1_2_32E43660
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E43660 mov eax, dword ptr fs:[00000030h] 1_2_32E43660
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6666D mov esi, dword ptr fs:[00000030h] 1_2_32E6666D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6666D mov eax, dword ptr fs:[00000030h] 1_2_32E6666D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6666D mov eax, dword ptr fs:[00000030h] 1_2_32E6666D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E30670 mov eax, dword ptr fs:[00000030h] 1_2_32E30670
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72670 mov eax, dword ptr fs:[00000030h] 1_2_32E72670
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E72670 mov eax, dword ptr fs:[00000030h] 1_2_32E72670
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E33640 mov eax, dword ptr fs:[00000030h] 1_2_32E33640
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4F640 mov eax, dword ptr fs:[00000030h] 1_2_32E4F640
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4F640 mov eax, dword ptr fs:[00000030h] 1_2_32E4F640
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E4F640 mov eax, dword ptr fs:[00000030h] 1_2_32E4F640
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6C640 mov eax, dword ptr fs:[00000030h] 1_2_32E6C640
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6C640 mov eax, dword ptr fs:[00000030h] 1_2_32E6C640
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2D64A mov eax, dword ptr fs:[00000030h] 1_2_32E2D64A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2D64A mov eax, dword ptr fs:[00000030h] 1_2_32E2D64A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E65654 mov eax, dword ptr fs:[00000030h] 1_2_32E65654
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3965A mov eax, dword ptr fs:[00000030h] 1_2_32E3965A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3965A mov eax, dword ptr fs:[00000030h] 1_2_32E3965A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6265C mov eax, dword ptr fs:[00000030h] 1_2_32E6265C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6265C mov ecx, dword ptr fs:[00000030h] 1_2_32E6265C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6265C mov eax, dword ptr fs:[00000030h] 1_2_32E6265C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E37623 mov eax, dword ptr fs:[00000030h] 1_2_32E37623
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDD62C mov ecx, dword ptr fs:[00000030h] 1_2_32EDD62C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDD62C mov ecx, dword ptr fs:[00000030h] 1_2_32EDD62C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDD62C mov eax, dword ptr fs:[00000030h] 1_2_32EDD62C
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E35622 mov eax, dword ptr fs:[00000030h] 1_2_32E35622
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E35622 mov eax, dword ptr fs:[00000030h] 1_2_32E35622
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6C620 mov eax, dword ptr fs:[00000030h] 1_2_32E6C620
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E30630 mov eax, dword ptr fs:[00000030h] 1_2_32E30630
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E60630 mov eax, dword ptr fs:[00000030h] 1_2_32E60630
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB8633 mov esi, dword ptr fs:[00000030h] 1_2_32EB8633
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB8633 mov eax, dword ptr fs:[00000030h] 1_2_32EB8633
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB8633 mov eax, dword ptr fs:[00000030h] 1_2_32EB8633
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6F63F mov eax, dword ptr fs:[00000030h] 1_2_32E6F63F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6F63F mov eax, dword ptr fs:[00000030h] 1_2_32E6F63F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC3608 mov eax, dword ptr fs:[00000030h] 1_2_32EC3608
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC3608 mov eax, dword ptr fs:[00000030h] 1_2_32EC3608
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC3608 mov eax, dword ptr fs:[00000030h] 1_2_32EC3608
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC3608 mov eax, dword ptr fs:[00000030h] 1_2_32EC3608
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC3608 mov eax, dword ptr fs:[00000030h] 1_2_32EC3608
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC3608 mov eax, dword ptr fs:[00000030h] 1_2_32EC3608
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5D600 mov eax, dword ptr fs:[00000030h] 1_2_32E5D600
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5D600 mov eax, dword ptr fs:[00000030h] 1_2_32E5D600
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF607 mov eax, dword ptr fs:[00000030h] 1_2_32EEF607
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6360F mov eax, dword ptr fs:[00000030h] 1_2_32E6360F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F04600 mov eax, dword ptr fs:[00000030h] 1_2_32F04600
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5E7E0 mov eax, dword ptr fs:[00000030h] 1_2_32E5E7E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E337E4 mov eax, dword ptr fs:[00000030h] 1_2_32E337E4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E337E4 mov eax, dword ptr fs:[00000030h] 1_2_32E337E4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E337E4 mov eax, dword ptr fs:[00000030h] 1_2_32E337E4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E337E4 mov eax, dword ptr fs:[00000030h] 1_2_32E337E4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E337E4 mov eax, dword ptr fs:[00000030h] 1_2_32E337E4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E337E4 mov eax, dword ptr fs:[00000030h] 1_2_32E337E4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E337E4 mov eax, dword ptr fs:[00000030h] 1_2_32E337E4
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E377F9 mov eax, dword ptr fs:[00000030h] 1_2_32E377F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E377F9 mov eax, dword ptr fs:[00000030h] 1_2_32E377F9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF7CF mov eax, dword ptr fs:[00000030h] 1_2_32EEF7CF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E307A7 mov eax, dword ptr fs:[00000030h] 1_2_32E307A7
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFD7A7 mov eax, dword ptr fs:[00000030h] 1_2_32EFD7A7
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFD7A7 mov eax, dword ptr fs:[00000030h] 1_2_32EFD7A7
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFD7A7 mov eax, dword ptr fs:[00000030h] 1_2_32EFD7A7
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F017BC mov eax, dword ptr fs:[00000030h] 1_2_32F017BC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E61796 mov eax, dword ptr fs:[00000030h] 1_2_32E61796
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E61796 mov eax, dword ptr fs:[00000030h] 1_2_32E61796
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0B781 mov eax, dword ptr fs:[00000030h] 1_2_32F0B781
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32F0B781 mov eax, dword ptr fs:[00000030h] 1_2_32F0B781
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE79D mov eax, dword ptr fs:[00000030h] 1_2_32EAE79D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE79D mov eax, dword ptr fs:[00000030h] 1_2_32EAE79D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE79D mov eax, dword ptr fs:[00000030h] 1_2_32EAE79D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE79D mov eax, dword ptr fs:[00000030h] 1_2_32EAE79D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE79D mov eax, dword ptr fs:[00000030h] 1_2_32EAE79D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE79D mov eax, dword ptr fs:[00000030h] 1_2_32EAE79D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE79D mov eax, dword ptr fs:[00000030h] 1_2_32EAE79D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE79D mov eax, dword ptr fs:[00000030h] 1_2_32EAE79D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EAE79D mov eax, dword ptr fs:[00000030h] 1_2_32EAE79D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E42760 mov ecx, dword ptr fs:[00000030h] 1_2_32E42760
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71763 mov eax, dword ptr fs:[00000030h] 1_2_32E71763
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71763 mov eax, dword ptr fs:[00000030h] 1_2_32E71763
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71763 mov eax, dword ptr fs:[00000030h] 1_2_32E71763
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71763 mov eax, dword ptr fs:[00000030h] 1_2_32E71763
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71763 mov eax, dword ptr fs:[00000030h] 1_2_32E71763
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E71763 mov eax, dword ptr fs:[00000030h] 1_2_32E71763
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E60774 mov eax, dword ptr fs:[00000030h] 1_2_32E60774
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E34779 mov eax, dword ptr fs:[00000030h] 1_2_32E34779
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E34779 mov eax, dword ptr fs:[00000030h] 1_2_32E34779
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E63740 mov eax, dword ptr fs:[00000030h] 1_2_32E63740
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6174A mov eax, dword ptr fs:[00000030h] 1_2_32E6174A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E52755 mov eax, dword ptr fs:[00000030h] 1_2_32E52755
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E52755 mov eax, dword ptr fs:[00000030h] 1_2_32E52755
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E52755 mov eax, dword ptr fs:[00000030h] 1_2_32E52755
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E52755 mov ecx, dword ptr fs:[00000030h] 1_2_32E52755
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E52755 mov eax, dword ptr fs:[00000030h] 1_2_32E52755
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E52755 mov eax, dword ptr fs:[00000030h] 1_2_32E52755
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6A750 mov eax, dword ptr fs:[00000030h] 1_2_32E6A750
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F75B mov eax, dword ptr fs:[00000030h] 1_2_32E2F75B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F75B mov eax, dword ptr fs:[00000030h] 1_2_32E2F75B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F75B mov eax, dword ptr fs:[00000030h] 1_2_32E2F75B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F75B mov eax, dword ptr fs:[00000030h] 1_2_32E2F75B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F75B mov eax, dword ptr fs:[00000030h] 1_2_32E2F75B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F75B mov eax, dword ptr fs:[00000030h] 1_2_32E2F75B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F75B mov eax, dword ptr fs:[00000030h] 1_2_32E2F75B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F75B mov eax, dword ptr fs:[00000030h] 1_2_32E2F75B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2F75B mov eax, dword ptr fs:[00000030h] 1_2_32E2F75B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EDE750 mov eax, dword ptr fs:[00000030h] 1_2_32EDE750
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E59723 mov eax, dword ptr fs:[00000030h] 1_2_32E59723
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3D700 mov ecx, dword ptr fs:[00000030h] 1_2_32E3D700
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B705 mov eax, dword ptr fs:[00000030h] 1_2_32E2B705
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B705 mov eax, dword ptr fs:[00000030h] 1_2_32E2B705
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B705 mov eax, dword ptr fs:[00000030h] 1_2_32E2B705
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B705 mov eax, dword ptr fs:[00000030h] 1_2_32E2B705
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5270D mov eax, dword ptr fs:[00000030h] 1_2_32E5270D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5270D mov eax, dword ptr fs:[00000030h] 1_2_32E5270D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5270D mov eax, dword ptr fs:[00000030h] 1_2_32E5270D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3471B mov eax, dword ptr fs:[00000030h] 1_2_32E3471B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3471B mov eax, dword ptr fs:[00000030h] 1_2_32E3471B
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF717 mov eax, dword ptr fs:[00000030h] 1_2_32EEF717
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E654E0 mov eax, dword ptr fs:[00000030h] 1_2_32E654E0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E4EF mov eax, dword ptr fs:[00000030h] 1_2_32E6E4EF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E4EF mov eax, dword ptr fs:[00000030h] 1_2_32E6E4EF
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF4FD mov eax, dword ptr fs:[00000030h] 1_2_32EEF4FD
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E364F0 mov eax, dword ptr fs:[00000030h] 1_2_32E364F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6A4F0 mov eax, dword ptr fs:[00000030h] 1_2_32E6A4F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6A4F0 mov eax, dword ptr fs:[00000030h] 1_2_32E6A4F0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E594FA mov eax, dword ptr fs:[00000030h] 1_2_32E594FA
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E514C9 mov eax, dword ptr fs:[00000030h] 1_2_32E514C9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E514C9 mov eax, dword ptr fs:[00000030h] 1_2_32E514C9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E514C9 mov eax, dword ptr fs:[00000030h] 1_2_32E514C9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E514C9 mov eax, dword ptr fs:[00000030h] 1_2_32E514C9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E514C9 mov eax, dword ptr fs:[00000030h] 1_2_32E514C9
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E544D1 mov eax, dword ptr fs:[00000030h] 1_2_32E544D1
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E544D1 mov eax, dword ptr fs:[00000030h] 1_2_32E544D1
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F4D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F4D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F4D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F4D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F4D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F4D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F4D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F4D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F4D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F4D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F4D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F4D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F4D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F4D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F4D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F4D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5F4D0 mov eax, dword ptr fs:[00000030h] 1_2_32E5F4D0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E324A2 mov eax, dword ptr fs:[00000030h] 1_2_32E324A2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E324A2 mov ecx, dword ptr fs:[00000030h] 1_2_32E324A2
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBD4A0 mov ecx, dword ptr fs:[00000030h] 1_2_32EBD4A0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBD4A0 mov eax, dword ptr fs:[00000030h] 1_2_32EBD4A0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBD4A0 mov eax, dword ptr fs:[00000030h] 1_2_32EBD4A0
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E644A8 mov eax, dword ptr fs:[00000030h] 1_2_32E644A8
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6E4BC mov eax, dword ptr fs:[00000030h] 1_2_32E6E4BC
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E30485 mov ecx, dword ptr fs:[00000030h] 1_2_32E30485
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6648A mov eax, dword ptr fs:[00000030h] 1_2_32E6648A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6648A mov eax, dword ptr fs:[00000030h] 1_2_32E6648A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6648A mov eax, dword ptr fs:[00000030h] 1_2_32E6648A
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6B490 mov eax, dword ptr fs:[00000030h] 1_2_32E6B490
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6B490 mov eax, dword ptr fs:[00000030h] 1_2_32E6B490
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBC490 mov eax, dword ptr fs:[00000030h] 1_2_32EBC490
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EFA464 mov eax, dword ptr fs:[00000030h] 1_2_32EFA464
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E38470 mov eax, dword ptr fs:[00000030h] 1_2_32E38470
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E38470 mov eax, dword ptr fs:[00000030h] 1_2_32E38470
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EEF478 mov eax, dword ptr fs:[00000030h] 1_2_32EEF478
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40445 mov eax, dword ptr fs:[00000030h] 1_2_32E40445
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40445 mov eax, dword ptr fs:[00000030h] 1_2_32E40445
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40445 mov eax, dword ptr fs:[00000030h] 1_2_32E40445
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40445 mov eax, dword ptr fs:[00000030h] 1_2_32E40445
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40445 mov eax, dword ptr fs:[00000030h] 1_2_32E40445
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E40445 mov eax, dword ptr fs:[00000030h] 1_2_32E40445
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6D450 mov eax, dword ptr fs:[00000030h] 1_2_32E6D450
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6D450 mov eax, dword ptr fs:[00000030h] 1_2_32E6D450
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3D454 mov eax, dword ptr fs:[00000030h] 1_2_32E3D454
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3D454 mov eax, dword ptr fs:[00000030h] 1_2_32E3D454
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3D454 mov eax, dword ptr fs:[00000030h] 1_2_32E3D454
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3D454 mov eax, dword ptr fs:[00000030h] 1_2_32E3D454
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3D454 mov eax, dword ptr fs:[00000030h] 1_2_32E3D454
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E3D454 mov eax, dword ptr fs:[00000030h] 1_2_32E3D454
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5E45E mov eax, dword ptr fs:[00000030h] 1_2_32E5E45E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5E45E mov eax, dword ptr fs:[00000030h] 1_2_32E5E45E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5E45E mov eax, dword ptr fs:[00000030h] 1_2_32E5E45E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5E45E mov eax, dword ptr fs:[00000030h] 1_2_32E5E45E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E5E45E mov eax, dword ptr fs:[00000030h] 1_2_32E5E45E
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2B420 mov eax, dword ptr fs:[00000030h] 1_2_32E2B420
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EB9429 mov eax, dword ptr fs:[00000030h] 1_2_32EB9429
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E67425 mov eax, dword ptr fs:[00000030h] 1_2_32E67425
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E67425 mov ecx, dword ptr fs:[00000030h] 1_2_32E67425
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBF42F mov eax, dword ptr fs:[00000030h] 1_2_32EBF42F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBF42F mov eax, dword ptr fs:[00000030h] 1_2_32EBF42F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBF42F mov eax, dword ptr fs:[00000030h] 1_2_32EBF42F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBF42F mov eax, dword ptr fs:[00000030h] 1_2_32EBF42F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EBF42F mov eax, dword ptr fs:[00000030h] 1_2_32EBF42F
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC6400 mov eax, dword ptr fs:[00000030h] 1_2_32EC6400
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32EC6400 mov eax, dword ptr fs:[00000030h] 1_2_32EC6400
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E2640D mov eax, dword ptr fs:[00000030h] 1_2_32E2640D
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6A5E7 mov ebx, dword ptr fs:[00000030h] 1_2_32E6A5E7
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 1_2_32E6A5E7 mov eax, dword ptr fs:[00000030h] 1_2_32E6A5E7

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\FACTURA-002297.exe NtSuspendThread: Indirect: 0x32B33909 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtProtectVirtualMemory: Direct from: 0x3E16998 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtDelayExecution: Direct from: 0x3E0EC6D Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtResumeThread: Direct from: 0x3E0EE9F Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtDelayExecution: Direct from: 0x3E0EE2E Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe NtQueueApcThread: Indirect: 0x32B2F414 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtTerminateThread: Direct from: 0x7FFB6E782651 Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe NtSetContextThread: Indirect: 0x32B335E9 Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe NtResumeThread: Indirect: 0x32B33C29 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\FACTURA-002297.exe Section loaded: NULL target: C:\Windows\SysWOW64\SecEdit.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\FACTURA-002297.exe Thread register set: target process: 6084 Jump to behavior
Source: C:\Windows\SysWOW64\SecEdit.exe Thread register set: target process: 6084 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\FACTURA-002297.exe Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FACTURA-002297.exe Process created: C:\Users\user\Desktop\FACTURA-002297.exe "C:\Users\user\Desktop\FACTURA-002297.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe" Jump to behavior
Source: RAVCpl64.exe, 00000002.00000000.13141282402.0000000000E10000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000002.00000002.17463442135.0000000000E10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.17461187952.0000000001010000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: RAVCpl64.exe, 00000002.00000000.13141282402.0000000000E10000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000002.00000002.17463442135.0000000000E10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.14689574230.0000000004730000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: RAVCpl64.exe, 00000002.00000000.13141282402.0000000000E10000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000002.00000002.17463442135.0000000000E10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.17461187952.0000000001010000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.14686651962.0000000000990000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.17459599073.0000000000990000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman
Source: C:\Users\user\Desktop\FACTURA-002297.exe Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403489

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.14765009374.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.13227651588.0000000032B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.14765099123.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.14765009374.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.13227651588.0000000032B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.14765099123.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524995 Sample: FACTURA-002297.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 28 drive.usercontent.google.com 2->28 30 drive.google.com 2->30 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 2 other signatures 2->44 10 FACTURA-002297.exe 1 28 2->10         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\System.dll, PE32 10->26 dropped 52 Switches to a custom stack to bypass stack traces 10->52 14 FACTURA-002297.exe 6 10->14         started        signatures6 process7 dnsIp8 32 drive.usercontent.google.com 142.250.81.225, 443, 49805 GOOGLEUS United States 14->32 34 drive.google.com 142.251.32.110, 443, 49804 GOOGLEUS United States 14->34 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Queues an APC in another process (thread injection) 14->58 60 Found direct / indirect Syscall (likely to bypass EDR) 14->60 18 RAVCpl64.exe 14->18 injected signatures9 process10 signatures11 36 Found direct / indirect Syscall (likely to bypass EDR) 18->36 21 SecEdit.exe 18->21         started        process12 signatures13 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Switches to a custom stack to bypass stack traces 21->50 24 explorer.exe 60 1 21->24 injected process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.251.32.110
 drive.google.com United States
15169 GOOGLEUS false
142.250.81.225
 drive.usercontent.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.251.32.110 true
drive.usercontent.google.com 142.250.81.225 true