Loading ...

Play interactive tourEdit tour

Analysis Report Nuevo orden pdf.exe

Overview

General Information

Sample Name:Nuevo orden pdf.exe
Analysis ID:404237
MD5:02a32cc05efbf5236a8c0928d3c9170e
SHA1:fa3a639f15116da149b14d832b9255528f0bfe65
SHA256:5930cfa7dd5664e104c299fce83451021349922b6b02774235eae6bd14fad464
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Nuevo orden pdf.exe (PID: 5520 cmdline: 'C:\Users\user\Desktop\Nuevo orden pdf.exe' MD5: 02A32CC05EFBF5236A8C0928D3C9170E)
    • schtasks.exe (PID: 204 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NkwKQPLeekw' /XML 'C:\Users\user\AppData\Local\Temp\tmpA401.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6196 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6616 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 6776 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lovetarot.online/sqxs/"], "decoy": ["creid-network.com", "dinningatcastlehill.com", "fundadilla.com", "fashionmdeasy.com", "magentos6.com", "pushpartybdp.com", "streamingnetwork.xyz", "sevenredwalls.com", "hsuehsun.space", "leanbirthdaycake.com", "rocketmortgagedeceit.com", "cashflowdb.com", "smilebringerdesign.com", "naomicoleclinic.com", "wingsforklift.com", "newsounding.com", "48hrbusinessrescue.pro", "101osthoff456.com", "attleticgreens.com", "xx233.xyz", "niziuantena.com", "photosbyamandajdaniels.com", "udharworld.com", "astrolmass.com", "wzht88.com", "victoriasessionsheroes.com", "thefuture101.com", "sihe08.com", "webingnar.com", "influentialgood.com", "jobdoctorplacements.com", "bankrotstvostavropol.pro", "gracefulfari.com", "bluevistainvestments.com", "poopertroopersct.com", "link-glue.com", "barbequeterie.com", "ajbkscw.com", "janek-sales-training.net", "salesjump.xyz", "whatthefountain.com", "centre-pour-formation.com", "aiocoin.net", "thefreemaskstore.com", "localwow.net", "steven-ross.com", "perennialhh.com", "luxebeautylash.com", "aswahorganic.com", "businesshouse5asidejm.com", "zowjain.com", "mediatraining-toronto.com", "ashtangaway.com", "solutiirecentedemarketing.club", "zgzuqw.com", "timerma.com", "aguaalcalinamexico.com", "tacostio1.com", "karitaz.com", "bismillahbodyoil.com", "c2p.life", "kacgt.com", "fastcincincinnatioffer.com", "michaels.house"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Nuevo orden pdf.exe.2e5f580.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          6.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 5 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Nuevo orden pdf.exe' , ParentImage: C:\Users\user\Desktop\Nuevo orden pdf.exe, ParentProcessId: 5520, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6196

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: www.lovetarot.online/sqxs/Avira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lovetarot.online/sqxs/"], "decoy": ["creid-network.com", "dinningatcastlehill.com", "fundadilla.com", "fashionmdeasy.com", "magentos6.com", "pushpartybdp.com", "streamingnetwork.xyz", "sevenredwalls.com", "hsuehsun.space", "leanbirthdaycake.com", "rocketmortgagedeceit.com", "cashflowdb.com", "smilebringerdesign.com", "naomicoleclinic.com", "wingsforklift.com", "newsounding.com", "48hrbusinessrescue.pro", "101osthoff456.com", "attleticgreens.com", "xx233.xyz", "niziuantena.com", "photosbyamandajdaniels.com", "udharworld.com", "astrolmass.com", "wzht88.com", "victoriasessionsheroes.com", "thefuture101.com", "sihe08.com", "webingnar.com", "influentialgood.com", "jobdoctorplacements.com", "bankrotstvostavropol.pro", "gracefulfari.com", "bluevistainvestments.com", "poopertroopersct.com", "link-glue.com", "barbequeterie.com", "ajbkscw.com", "janek-sales-training.net", "salesjump.xyz", "whatthefountain.com", "centre-pour-formation.com", "aiocoin.net", "thefreemaskstore.com", "localwow.net", "steven-ross.com", "perennialhh.com", "luxebeautylash.com", "aswahorganic.com", "businesshouse5asidejm.com", "zowjain.com", "mediatraining-toronto.com", "ashtangaway.com", "solutiirecentedemarketing.club", "zgzuqw.com", "timerma.com", "aguaalcalinamexico.com", "tacostio1.com", "karitaz.com", "bismillahbodyoil.com", "c2p.life", "kacgt.com", "fastcincincinnatioffer.com", "michaels.house"]}
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\NkwKQPLeekw.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: Nuevo orden pdf.exeJoe Sandbox ML: detected
            Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Nuevo orden pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Nuevo orden pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cmmon32.pdb source: RegSvcs.exe, 00000006.00000002.271574504.0000000000AB0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.498401305.0000000006560000.00000002.00000001.sdmp
            Source: Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 00000006.00000002.271574504.0000000000AB0000.00000040.00000001.sdmp
            Source: Binary string: RegSvcs.pdb, source: cmmon32.exe, 0000000B.00000002.487231083.000000000526F000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.271818263.000000000100F000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.484481118.0000000004E5F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmmon32.exe
            Source: Binary string: RegSvcs.pdb source: cmmon32.exe, 0000000B.00000002.487231083.000000000526F000.00000004.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.498401305.0000000006560000.00000002.00000001.sdmp

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49728 -> 178.128.103.114:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49728 -> 178.128.103.114:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49728 -> 178.128.103.114:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 34.102.136.180:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.lovetarot.online/sqxs/
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=w0QgkeD38IHRIdpbCIGaty7sV88cqzXhWLmJ40eLjOUR8JRp45mybBQ5KmZt/1kyJcny&ojl0d=RzuhPJ HTTP/1.1Host: www.thefuture101.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=GovnwUyBgs6xiYQW/zP+CA3Z06ENiLPJ6FoyDogwOk1ZQfWjapvzV/e42GR+qjeaq8An&ojl0d=RzuhPJ HTTP/1.1Host: www.mediatraining-toronto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=rJ59qlVpBd2p2MzE9PeUClXd0JALEtveJTDdwZJeh/IadIDZ7Pe72xE/unf7IFRjfuAh&ojl0d=RzuhPJ HTTP/1.1Host: www.bluevistainvestments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=w0QgkeD38IHRIdpbCIGaty7sV88cqzXhWLmJ40eLjOUR8JRp45mybBQ5KmZt/1kyJcny&ojl0d=RzuhPJ HTTP/1.1Host: www.thefuture101.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=GovnwUyBgs6xiYQW/zP+CA3Z06ENiLPJ6FoyDogwOk1ZQfWjapvzV/e42GR+qjeaq8An&ojl0d=RzuhPJ HTTP/1.1Host: www.mediatraining-toronto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sqxs/?Ef=rJ59qlVpBd2p2MzE9PeUClXd0JALEtveJTDdwZJeh/IadIDZ7Pe72xE/unf7IFRjfuAh&ojl0d=RzuhPJ HTTP/1.1Host: www.bluevistainvestments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.thefuture101.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Tue, 04 May 2021 18:33:17 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 203Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 78 73 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqxs/ was not found on this server.</p></body></html>
            Source: explorer.exe, 00000007.00000000.257802419.000000000F55B000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Nuevo orden pdf.exeString found in binary or memory: http://vbcity.com/forums/t/51894.aspx
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000007.00000000.255497530.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Nuevo orden pdf.exeString found in binary or memory: https://github.com/MrCylops
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
            Source: Nuevo orden pdf.exe, 00000000.00000002.228288277.0000000001060000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A070 NtClose,6_2_0041A070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A120 NtAllocateVirtualMemory,6_2_0041A120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419F40 NtCreateFile,6_2_00419F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419FF0 NtReadFile,6_2_00419FF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A09A NtReadFile,6_2_0041A09A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A11A NtAllocateVirtualMemory,6_2_0041A11A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419F3A NtCreateFile,6_2_00419F3A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419FEB NtReadFile,6_2_00419FEB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F598F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_00F598F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59860 NtQuerySystemInformation,LdrInitializeThunk,6_2_00F59860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59840 NtDelayExecution,LdrInitializeThunk,6_2_00F59840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F599A0 NtCreateSection,LdrInitializeThunk,6_2_00F599A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_00F59910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A50 NtCreateFile,LdrInitializeThunk,6_2_00F59A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A20 NtResumeThread,LdrInitializeThunk,6_2_00F59A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_00F59A00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F595D0 NtClose,LdrInitializeThunk,6_2_00F595D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59540 NtReadFile,LdrInitializeThunk,6_2_00F59540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F596E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_00F596E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_00F59660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F597A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_00F597A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59780 NtMapViewOfSection,LdrInitializeThunk,6_2_00F59780
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59710 NtQueryInformationToken,LdrInitializeThunk,6_2_00F59710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F598A0 NtWriteVirtualMemory,6_2_00F598A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5B040 NtSuspendThread,6_2_00F5B040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59820 NtEnumerateKey,6_2_00F59820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F599D0 NtCreateProcessEx,6_2_00F599D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59950 NtQueueApcThread,6_2_00F59950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A80 NtOpenDirectoryObject,6_2_00F59A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59A10 NtQuerySection,6_2_00F59A10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5A3B0 NtGetContextThread,6_2_00F5A3B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59B00 NtSetValueKey,6_2_00F59B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F595F0 NtQueryInformationFile,6_2_00F595F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59560 NtWriteFile,6_2_00F59560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5AD30 NtSetContextThread,6_2_00F5AD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59520 NtWaitForSingleObject,6_2_00F59520
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F596D0 NtCreateKey,6_2_00F596D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59670 NtQueryInformationProcess,6_2_00F59670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59650 NtQueryValueKey,6_2_00F59650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59610 NtEnumerateValueKey,6_2_00F59610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59FE0 NtCreateMutant,6_2_00F59FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59770 NtSetInformationFile,6_2_00F59770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5A770 NtOpenThread,6_2_00F5A770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59760 NtOpenProcess,6_2_00F59760
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F59730 NtQueryVirtualMemory,6_2_00F59730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F5A710 NtOpenProcessToken,6_2_00F5A710
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9840 NtDelayExecution,LdrInitializeThunk,11_2_04DA9840
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9860 NtQuerySystemInformation,LdrInitializeThunk,11_2_04DA9860
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA95D0 NtClose,LdrInitializeThunk,11_2_04DA95D0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA99A0 NtCreateSection,LdrInitializeThunk,11_2_04DA99A0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9540 NtReadFile,LdrInitializeThunk,11_2_04DA9540
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_04DA9910
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA96D0 NtCreateKey,LdrInitializeThunk,11_2_04DA96D0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA96E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_04DA96E0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9650 NtQueryValueKey,LdrInitializeThunk,11_2_04DA9650
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A50 NtCreateFile,LdrInitializeThunk,11_2_04DA9A50
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04DA9660
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9FE0 NtCreateMutant,LdrInitializeThunk,11_2_04DA9FE0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9780 NtMapViewOfSection,LdrInitializeThunk,11_2_04DA9780
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9710 NtQueryInformationToken,LdrInitializeThunk,11_2_04DA9710
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA98F0 NtReadVirtualMemory,11_2_04DA98F0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA98A0 NtWriteVirtualMemory,11_2_04DA98A0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAB040 NtSuspendThread,11_2_04DAB040
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9820 NtEnumerateKey,11_2_04DA9820
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA99D0 NtCreateProcessEx,11_2_04DA99D0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA95F0 NtQueryInformationFile,11_2_04DA95F0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9950 NtQueueApcThread,11_2_04DA9950
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9560 NtWriteFile,11_2_04DA9560
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAAD30 NtSetContextThread,11_2_04DAAD30
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9520 NtWaitForSingleObject,11_2_04DA9520
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A80 NtOpenDirectoryObject,11_2_04DA9A80
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9670 NtQueryInformationProcess,11_2_04DA9670
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9610 NtEnumerateValueKey,11_2_04DA9610
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A10 NtQuerySection,11_2_04DA9A10
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A00 NtProtectVirtualMemory,11_2_04DA9A00
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9A20 NtResumeThread,11_2_04DA9A20
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAA3B0 NtGetContextThread,11_2_04DAA3B0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA97A0 NtUnmapViewOfSection,11_2_04DA97A0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9770 NtSetInformationFile,11_2_04DA9770
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAA770 NtOpenThread,11_2_04DAA770
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9760 NtOpenProcess,11_2_04DA9760
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DAA710 NtOpenProcessToken,11_2_04DAA710
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9B00 NtSetValueKey,11_2_04DA9B00
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04DA9730 NtQueryVirtualMemory,11_2_04DA9730
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1A070 NtClose,11_2_00E1A070
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1A120 NtAllocateVirtualMemory,11_2_00E1A120
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E19FF0 NtReadFile,11_2_00E19FF0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E19F40 NtCreateFile,11_2_00E19F40
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1A09A NtReadFile,11_2_00E1A09A
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1A11A NtAllocateVirtualMemory,11_2_00E1A11A
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E19FEB NtReadFile,11_2_00E19FEB
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E19F3A NtCreateFile,11_2_00E19F3A
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeCode function: 0_2_008CA1D30_2_008CA1D3
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeCode function: 0_2_012FC2B00_2_012FC2B0
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeCode function: 0_2_012F99900_2_012F9990
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeCode function: 0_2_008CA42F0_2_008CA42F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004010306_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E1F96_2_0041E1F9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D1836_2_0041D183
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D1866_2_0041D186
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E45A6_2_0041E45A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041DDD16_2_0041DDD1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D906_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E406_2_00409E40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E3C6_2_00409E3C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB06_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE28EC6_2_00FE28EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F420A06_2_00F420A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE20A86_2_00FE20A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2B0906_2_00F2B090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FEE8246_2_00FEE824
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FD10026_2_00FD1002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F341206_2_00F34120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F1F9006_2_00F1F900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE22AE6_2_00FE22AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDDBD26_2_00FDDBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F4EBB06_2_00F4EBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE2B286_2_00FE2B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDD4666_2_00FDD466
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2841F6_2_00F2841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F2D5E06_2_00F2D5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE25DD6_2_00FE25DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F425816_2_00F42581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE1D556_2_00FE1D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F10D206_2_00F10D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE2D076_2_00FE2D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE2EF76_2_00FE2EF7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F36E306_2_00F36E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FDD6166_2_00FDD616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FE1FF16_2_00FE1FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00FEDFCE6_2_00FEDFCE
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7B09011_2_04D7B090
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E320A811_2_04E320A8
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D920A011_2_04D920A0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7841F11_2_04D7841F
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E2100211_2_04E21002
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D7D5E011_2_04D7D5E0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9258111_2_04D92581
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E31D5511_2_04E31D55
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D6F90011_2_04D6F900
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E32D0711_2_04E32D07
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D60D2011_2_04D60D20
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D8412011_2_04D84120
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E32EF711_2_04E32EF7
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E322AE11_2_04E322AE
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D86E3011_2_04D86E30
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E31FF111_2_04E31FF1
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04D9EBB011_2_04D9EBB0
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_04E32B2811_2_04E32B28
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1E1F911_2_00E1E1F9
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1D18311_2_00E1D183
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1D18611_2_00E1D186
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1E45A11_2_00E1E45A
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E1DDD111_2_00E1DDD1
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E02D9011_2_00E02D90
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E09E4011_2_00E09E40
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E09E3C11_2_00E09E3C
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 11_2_00E02FB011_2_00E02FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F1B150 appears 35 times
            Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04D6B150 appears 35 times
            Source: Nuevo orden pdf.exe, 00000000.00000002.234863690.000000000C360000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.228288277.0000000001060000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.227705180.00000000009A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSize.exe> vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.235277378.000000000C460000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exe, 00000000.00000002.235277378.000000000C460000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exeBinary or memory string: OriginalFilenameSize.exe> vs Nuevo orden pdf.exe
            Source: Nuevo orden pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000B.00000002.480288139.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.271343185.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000B.00000002.483002264.0000000004B00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000B.00000002.482531961.00000000049A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.230107043.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.271322606.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.271211976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Nuevo orden pdf.exe.3ed69a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Nuevo orden pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: NkwKQPLeekw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@3/4
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile created: C:\Users\user\AppData\Roaming\NkwKQPLeekw.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_01
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeMutant created: \Sessions\1\BaseNamedObjects\pYJofVrxAAcJK
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA401.tmpJump to behavior
            Source: Nuevo orden pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
            Source: Nuevo orden pdf.exe, 00000000.00000002.229057760.0000000002E31000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
            Source: C:\Users\user\Desktop\Nuevo orden pdf.exeFile read: C:\Users\user\Desktop\Nuevo orden pdf.exeJump to behavior