Windows Analysis Report Factura de proforma.exe

Overview

General Information

Sample Name:	Factura de proforma.exe
Analysis ID:	502357
MD5:	16f7045eebb451234ca8078222c5994c
SHA1:	99e8f263f9e34ad13cb8cd6af1bb816deffb5bde
SHA256:	ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
Tags:	ESPexegeo
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.thefanlounge.com/cb3b/"], "decoy": ["listenlocker.com", "jumpstartnotarybiz.com", "new-post-vehicle-site.xyz", "summon-entertainment.com", "johnandtracy-adopt.com", "bferety.info", "palmonlae.space", "yx1889.com", "janetnaufranck.com", "banditanalytics.com", "agenciahologram.com", "artemojo.com", "goldensuninn.com", "aminobalm.com", "customersme.com", "techcareerschool.com", "angelahuckeby.com", "smoothcontract.com", "kartsorgumerkezi.com", "houstonhemorrhoidclinic.com", "istanbuloz.com", "buyrealestatewithcarlos.com", "onlinelivehds.xyz", "outstandingearth.com", "cyclingsunglassestop.com", "haras-dors.com", "zhuanyekf.com", "pps-squad.com", "highlovely.com", "hudsonvalleymomandpopshop.com", "graytielaw.com", "orang-gilakali.com", "sajaasboutique.com", "nwomakrom.com", "mobilne-kucice.com", "instant-geek.com", "brewinginthenameof.com", "shopstel.net", "alumaber.com", "fernoost.info", "expandablepocketdeals.com", "ritelard.net", "elderyochanan.com", "gofante.online", "americansforbrazil.com", "condosofcolor.com", "the2gaku.com", "mesegeka.com", "democratsforesteban.com", "vinoporfavor.com", "xwaxxc1.com", "jinhongtextile.com", "festival-du-chanvre.com", "abrasivburada.com", "pinhoti.net", "nestd.online", "fendlercart.com", "unanox.com", "boyscout-site.com", "wlctrade.com", "gudesigns.net", "jandmisia.com", "funnyp0sts.com", "laveudelamare.com"]}

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Factura de proforma.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Factura de proforma.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp
Source:	Binary string: RegSvcs.pdb, source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, cscript.exe
Source:	Binary string: RegSvcs.pdb source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
Source:	Binary string: cscript.pdb source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4x nop then pop edi

6_2_00416CEC

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.aminobalm.com
Source: C:\Windows\explorer.exe	Domain query: www.palmonlae.space
Source: C:\Windows\explorer.exe	Network Connect: 13.209.99.177 80	Jump to behavior

Performs DNS queries to domains with low reputation

Source:

DNS query: www.new-post-vehicle-site.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.thefanlounge.com/cb3b/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h HTTP/1.1Host: www.aminobalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Factura de proforma.exe, 00000000.00000003.299841120.0000000000D0D000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: Factura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerskSHU
Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com-uT
Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: Factura de proforma.exe, 00000000.00000003.304081072.0000000005AD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn.U
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn2U%
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/7D
Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/JD
Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/XDiUa
Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a-eoDFU$
Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ko
Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/tDMU
Source: Factura de proforma.exe, 00000000.00000003.300417307.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krN.TTFs
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Factura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comF
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cscript.exe, 0000000A.00000002.573092724.00000000051DF000.00000004.00020000.sdmp	String found in binary or memory: https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkx

Source: unknown

DNS traffic detected: queries for: www.palmonlae.space

Source: global traffic

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: Factura de proforma.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Detected potential crypto function

Source: C:\Users\user\Desktop\Factura de proforma.exe	Code function: 0_2_0296F298	0_2_0296F298
Source: C:\Users\user\Desktop\Factura de proforma.exe	Code function: 0_2_0296F288	0_2_0296F288
Source: C:\Users\user\Desktop\Factura de proforma.exe	Code function: 0_2_0296D064	0_2_0296D064
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041F04E	6_2_0041F04E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041E872	6_2_0041E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D97A	6_2_0041D97A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041EBDA	6_2_0041EBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041E3A3	6_2_0041E3A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041E437	6_2_0041E437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00409E1A	6_2_00409E1A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D72A	6_2_0041D72A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041EF37	6_2_0041EF37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01604120	6_2_01604120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015EF900	6_2_015EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016A1002	6_2_016A1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016120A0	6_2_016120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B20A8	6_2_016B20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FB090	6_2_015FB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B2B28	6_2_016B2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0161EBB0	6_2_0161EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B22AE	6_2_016B22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B1D55	6_2_016B1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B2D07	6_2_016B2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015E0D20	6_2_015E0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015FD5E0	6_2_015FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01612581	6_2_01612581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015F841F	6_2_015F841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B1FF1	6_2_016B1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01606E30	6_2_01606E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016B2EF7	6_2_016B2EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047F841F	10_2_047F841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048A1002	10_2_048A1002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047FB090	10_2_047FB090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047E0D20	10_2_047E0D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047EF900	10_2_047EF900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_047FD5E0	10_2_047FD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04804120	10_2_04804120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048B1D55	10_2_048B1D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04806E30	10_2_04806E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0481EBB0	10_2_0481EBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AE872	10_2_029AE872
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02999E1A	10_2_02999E1A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02999E60	10_2_02999E60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02992FB0	10_2_02992FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AD72A	10_2_029AD72A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_02992D90	10_2_02992D90

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 015EB150 appears 35 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 047EB150 appears 32 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A360 NtCreateFile,	6_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A410 NtReadFile,	6_2_0041A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A490 NtClose,	6_2_0041A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A540 NtAllocateVirtualMemory,	6_2_0041A540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A35A NtCreateFile,	6_2_0041A35A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A53A NtAllocateVirtualMemory,	6_2_0041A53A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_01629910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016299A0 NtCreateSection,LdrInitializeThunk,	6_2_016299A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01629860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629840 NtDelayExecution,LdrInitializeThunk,	6_2_01629840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016298F0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_016298F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629A50 NtCreateFile,LdrInitializeThunk,	6_2_01629A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629A20 NtResumeThread,LdrInitializeThunk,	6_2_01629A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629A00 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_01629A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629540 NtReadFile,LdrInitializeThunk,	6_2_01629540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016295D0 NtClose,LdrInitializeThunk,	6_2_016295D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629710 NtQueryInformationToken,LdrInitializeThunk,	6_2_01629710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016297A0 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_016297A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629780 NtMapViewOfSection,LdrInitializeThunk,	6_2_01629780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_01629660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016296E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_016296E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629950 NtQueueApcThread,	6_2_01629950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016299D0 NtCreateProcessEx,	6_2_016299D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162B040 NtSuspendThread,	6_2_0162B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629820 NtEnumerateKey,	6_2_01629820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016298A0 NtWriteVirtualMemory,	6_2_016298A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629B00 NtSetValueKey,	6_2_01629B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A3B0 NtGetContextThread,	6_2_0162A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629A10 NtQuerySection,	6_2_01629A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629A80 NtOpenDirectoryObject,	6_2_01629A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629560 NtWriteFile,	6_2_01629560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629520 NtWaitForSingleObject,	6_2_01629520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162AD30 NtSetContextThread,	6_2_0162AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016295F0 NtQueryInformationFile,	6_2_016295F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629760 NtOpenProcess,	6_2_01629760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629770 NtSetInformationFile,	6_2_01629770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A770 NtOpenThread,	6_2_0162A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629730 NtQueryVirtualMemory,	6_2_01629730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0162A710 NtOpenProcessToken,	6_2_0162A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629FE0 NtCreateMutant,	6_2_01629FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629670 NtQueryInformationProcess,	6_2_01629670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629650 NtQueryValueKey,	6_2_01629650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01629610 NtEnumerateValueKey,	6_2_01629610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_016296D0 NtCreateKey,	6_2_016296D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829840 NtDelayExecution,LdrInitializeThunk,	10_2_04829840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_04829860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048299A0 NtCreateSection,LdrInitializeThunk,	10_2_048299A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048295D0 NtClose,LdrInitializeThunk,	10_2_048295D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_04829910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829540 NtReadFile,LdrInitializeThunk,	10_2_04829540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048296D0 NtCreateKey,LdrInitializeThunk,	10_2_048296D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048296E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_048296E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829650 NtQueryValueKey,LdrInitializeThunk,	10_2_04829650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829A50 NtCreateFile,LdrInitializeThunk,	10_2_04829A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_04829660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829780 NtMapViewOfSection,LdrInitializeThunk,	10_2_04829780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829FE0 NtCreateMutant,LdrInitializeThunk,	10_2_04829FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829710 NtQueryInformationToken,LdrInitializeThunk,	10_2_04829710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048298A0 NtWriteVirtualMemory,	10_2_048298A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048298F0 NtReadVirtualMemory,	10_2_048298F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829820 NtEnumerateKey,	10_2_04829820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0482B040 NtSuspendThread,	10_2_0482B040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048299D0 NtCreateProcessEx,	10_2_048299D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048295F0 NtQueryInformationFile,	10_2_048295F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829520 NtWaitForSingleObject,	10_2_04829520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0482AD30 NtSetContextThread,	10_2_0482AD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829950 NtQueueApcThread,	10_2_04829950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829560 NtWriteFile,	10_2_04829560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829A80 NtOpenDirectoryObject,	10_2_04829A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829A00 NtProtectVirtualMemory,	10_2_04829A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829610 NtEnumerateValueKey,	10_2_04829610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829A10 NtQuerySection,	10_2_04829A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829A20 NtResumeThread,	10_2_04829A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829670 NtQueryInformationProcess,	10_2_04829670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_048297A0 NtUnmapViewOfSection,	10_2_048297A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0482A3B0 NtGetContextThread,	10_2_0482A3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829B00 NtSetValueKey,	10_2_04829B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0482A710 NtOpenProcessToken,	10_2_0482A710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829730 NtQueryVirtualMemory,	10_2_04829730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829760 NtOpenProcess,	10_2_04829760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_04829770 NtSetInformationFile,	10_2_04829770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0482A770 NtOpenThread,	10_2_0482A770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AA360 NtCreateFile,	10_2_029AA360
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AA490 NtClose,	10_2_029AA490
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AA410 NtReadFile,	10_2_029AA410
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AA540 NtAllocateVirtualMemory,	10_2_029AA540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AA35A NtCreateFile,	10_2_029AA35A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AA53A NtAllocateVirtualMemory,	10_2_029AA53A

Sample file is different than original file name gathered from version info

Source: Factura de proforma.exe	Binary or memory string: OriginalFilename vs Factura de proforma.exe
Source: Factura de proforma.exe, 00000000.00000002.327421631.0000000007900000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs Factura de proforma.exe
Source: Factura de proforma.exe, 00000000.00000000.296727350.00000000007A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCachedDa.exe6 vs Factura de proforma.exe
Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp	Binary or memory string: i,\\StringFileInfo\\000004B0\\OriginalFilename vs Factura de proforma.exe
Source: Factura de proforma.exe	Binary or memory string: OriginalFilenameCachedDa.exe6 vs Factura de proforma.exe

PE file contains strange resources

Source: Factura de proforma.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tskpCbAwtxoaw.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Factura de proforma.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: tskpCbAwtxoaw.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Factura de proforma.exe

File read: C:\Users\user\Desktop\Factura de proforma.exe

Source: unknown	Process created: C:\Users\user\Desktop\Factura de proforma.exe 'C:\Users\user\Desktop\Factura de proforma.exe'
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Factura de proforma.exe, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: tskpCbAwtxoaw.exe.0.dr, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Factura de proforma.exe.7a0000.0.unpack, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.Factura de proforma.exe.7a0000.0.unpack, MapEditor1/CreateMapDialog.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\Factura de proforma.exe	Code function: 0_2_070C4BBD push FFFFFF8Bh; iretd	0_2_070C4BBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D4B5 push eax; ret	6_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D56C push eax; ret	6_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D502 push eax; ret	6_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D50B push eax; ret	6_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00419F75 push ebx; iretd	6_2_00419F7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0163D0D1 push ecx; ret	6_2_0163D0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_0483D0D1 push ecx; ret	10_2_0483D0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029A9F75 push ebx; iretd	10_2_029A9F7D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AD4B5 push eax; ret	10_2_029AD508
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AD50B push eax; ret	10_2_029AD572
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AD502 push eax; ret	10_2_029AD508
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 10_2_029AD56C push eax; ret	10_2_029AD572

Source: initial sample	Static PE information: section name: .text entropy: 7.7904887088
Source: initial sample	Static PE information: section name: .text entropy: 7.7904887088

Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000002999904 second address: 000000000299990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000002999B7E second address: 0000000002999B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Factura de proforma.exe TID: 6384	Thread sleep time: -45175s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe TID: 4852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7112	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 6368	Thread sleep time: -32000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Factura de proforma.exe	Thread delayed: delay time: 45175			Jump to behavior
Source: C:\Users\user\Desktop\Factura de proforma.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000007.00000000.362850284.0000000000B7D000.00000004.00000020.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.352399767.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.354893243.000000000EE50000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000007.00000000.375277413.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000007.00000000.333973345.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.352399767.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000007.00000000.333973345.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000007.00000000.337688862.00000000087C2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
Source: explorer.exe, 00000007.00000000.352399767.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3352	Jump to behavior

Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.362766747.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.337688862.00000000087C2000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Name	IP	Active
parking3.dnstool.net	13.209.99.177	true
www.festival-du-chanvre.com	unknown	unknown
www.aminobalm.com	unknown	unknown
www.palmonlae.space	unknown	unknown
www.new-post-vehicle-site.xyz	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.aminobalm.com/cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h	true	Avira URL Cloud: safe	unknown
www.thefanlounge.com/cb3b/	true	Avira URL Cloud: safe	low

ID:	502357
Product:	CloudBasic
Start time:	20:33:12
Start date:	13.10.2021
Sample:	Factura de proforma.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	16f7045eebb451234ca8078222c5994c
SHA1:	99e8f263f9e34ad13cb8cd6af1bb816deffb5bde
SHA256:	ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report Factura de proforma.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Factura de proforma.exe.log	ASCII text, with CRLF line terminators	832D6A22CE7798D72609B9C21B4AF152	B086DE927BFEE6039F5555CE53C397D1E59B4CA4	9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
C:\Users\user\AppData\Local\Temp\tmpD689.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	1E44E6ADAE1C0CA0FD56FA664DDFE899	BED45CA5BDDB3ED71E73A72C6058ED5101440C3F	55CBE776A65A94D258CC0EA3911132969AED0F6979BE24A24BE4C4FB9F44E20A
C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	16F7045EEBB451234CA8078222C5994C	99E8F263F9E34AD13CB8CD6AF1BB816DEFFB5BDE	FF344E635B268090AAFDB8FA830E76C41F34D7CF9A9BF03ED4EDE2705008BFEF
C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309