Loading ...

Play interactive tourEdit tour

Windows Analysis Report Factura de proforma.exe

Overview

General Information

Sample Name:Factura de proforma.exe
Analysis ID:502357
MD5:16f7045eebb451234ca8078222c5994c
SHA1:99e8f263f9e34ad13cb8cd6af1bb816deffb5bde
SHA256:ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
Tags:ESPexegeo
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Factura de proforma.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\Factura de proforma.exe' MD5: 16F7045EEBB451234CA8078222C5994C)
    • schtasks.exe (PID: 6436 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6388 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 4716 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 3408 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thefanlounge.com/cb3b/"], "decoy": ["listenlocker.com", "jumpstartnotarybiz.com", "new-post-vehicle-site.xyz", "summon-entertainment.com", "johnandtracy-adopt.com", "bferety.info", "palmonlae.space", "yx1889.com", "janetnaufranck.com", "banditanalytics.com", "agenciahologram.com", "artemojo.com", "goldensuninn.com", "aminobalm.com", "customersme.com", "techcareerschool.com", "angelahuckeby.com", "smoothcontract.com", "kartsorgumerkezi.com", "houstonhemorrhoidclinic.com", "istanbuloz.com", "buyrealestatewithcarlos.com", "onlinelivehds.xyz", "outstandingearth.com", "cyclingsunglassestop.com", "haras-dors.com", "zhuanyekf.com", "pps-squad.com", "highlovely.com", "hudsonvalleymomandpopshop.com", "graytielaw.com", "orang-gilakali.com", "sajaasboutique.com", "nwomakrom.com", "mobilne-kucice.com", "instant-geek.com", "brewinginthenameof.com", "shopstel.net", "alumaber.com", "fernoost.info", "expandablepocketdeals.com", "ritelard.net", "elderyochanan.com", "gofante.online", "americansforbrazil.com", "condosofcolor.com", "the2gaku.com", "mesegeka.com", "democratsforesteban.com", "vinoporfavor.com", "xwaxxc1.com", "jinhongtextile.com", "festival-du-chanvre.com", "abrasivburada.com", "pinhoti.net", "nestd.online", "fendlercart.com", "unanox.com", "boyscout-site.com", "wlctrade.com", "gudesigns.net", "jandmisia.com", "funnyp0sts.com", "laveudelamare.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Factura de proforma.exe.2bd16b0.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          0.2.Factura de proforma.exe.3cc0560.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 8 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Factura de proforma.exe' , ParentImage: C:\Users\user\Desktop\Factura de proforma.exe, ParentProcessId: 6952, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6388
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Factura de proforma.exe' , ParentImage: C:\Users\user\Desktop\Factura de proforma.exe, ParentProcessId: 6952, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6388

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.thefanlounge.com/cb3b/"], "decoy": ["listenlocker.com", "jumpstartnotarybiz.com", "new-post-vehicle-site.xyz", "summon-entertainment.com", "johnandtracy-adopt.com", "bferety.info", "palmonlae.space", "yx1889.com", "janetnaufranck.com", "banditanalytics.com", "agenciahologram.com", "artemojo.com", "goldensuninn.com", "aminobalm.com", "customersme.com", "techcareerschool.com", "angelahuckeby.com", "smoothcontract.com", "kartsorgumerkezi.com", "houstonhemorrhoidclinic.com", "istanbuloz.com", "buyrealestatewithcarlos.com", "onlinelivehds.xyz", "outstandingearth.com", "cyclingsunglassestop.com", "haras-dors.com", "zhuanyekf.com", "pps-squad.com", "highlovely.com", "hudsonvalleymomandpopshop.com", "graytielaw.com", "orang-gilakali.com", "sajaasboutique.com", "nwomakrom.com", "mobilne-kucice.com", "instant-geek.com", "brewinginthenameof.com", "shopstel.net", "alumaber.com", "fernoost.info", "expandablepocketdeals.com", "ritelard.net", "elderyochanan.com", "gofante.online", "americansforbrazil.com", "condosofcolor.com", "the2gaku.com", "mesegeka.com", "democratsforesteban.com", "vinoporfavor.com", "xwaxxc1.com", "jinhongtextile.com", "festival-du-chanvre.com", "abrasivburada.com", "pinhoti.net", "nestd.online", "fendlercart.com", "unanox.com", "boyscout-site.com", "wlctrade.com", "gudesigns.net", "jandmisia.com", "funnyp0sts.com", "laveudelamare.com"]}
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY
            Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Factura de proforma.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Factura de proforma.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp
            Source: Binary string: RegSvcs.pdb, source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, cscript.exe
            Source: Binary string: RegSvcs.pdb source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: cscript.pdb source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi6_2_00416CEC

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.aminobalm.com
            Source: C:\Windows\explorer.exeDomain query: www.palmonlae.space
            Source: C:\Windows\explorer.exeNetwork Connect: 13.209.99.177 80Jump to behavior
            Performs DNS queries to domains with low reputationShow sources
            Source: DNS query: www.new-post-vehicle-site.xyz
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.thefanlounge.com/cb3b/
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: global trafficHTTP traffic detected: GET /cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h HTTP/1.1Host: www.aminobalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Factura de proforma.exe, 00000000.00000003.299841120.0000000000D0D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: Factura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerskSHU
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-uT
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
            Source: Factura de proforma.exe, 00000000.00000003.304081072.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.U
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn2U%
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7D
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/JD
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/XDiUa
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-eoDFU$
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ko
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tDMU
            Source: Factura de proforma.exe, 00000000.00000003.300417307.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTFs
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Factura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comF
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: cscript.exe, 0000000A.00000002.573092724.00000000051DF000.00000004.00020000.sdmpString found in binary or memory: https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkx
            Source: unknownDNS traffic detected: queries for: www.palmonlae.space
            Source: global trafficHTTP traffic detected: GET /cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h HTTP/1.1Host: www.aminobalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Factura de proforma.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_0296F2980_2_0296F298
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_0296F2880_2_0296F288
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_0296D0640_2_0296D064
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041F04E6_2_0041F04E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E8726_2_0041E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004010306_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D97A6_2_0041D97A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041EBDA6_2_0041EBDA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E3A36_2_0041E3A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E4376_2_0041E437
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D906_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E606_2_00409E60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E1A6_2_00409E1A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D72A6_2_0041D72A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041EF376_2_0041EF37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB06_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016041206_2_01604120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EF9006_2_015EF900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A10026_2_016A1002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A06_2_016120A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B20A86_2_016B20A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB0906_2_015FB090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B2B286_2_016B2B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161EBB06_2_0161EBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B22AE6_2_016B22AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B1D556_2_016B1D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B2D076_2_016B2D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E0D206_2_015E0D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FD5E06_2_015FD5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016125816_2_01612581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F841F6_2_015F841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B1FF16_2_016B1FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01606E306_2_01606E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B2EF76_2_016B2EF7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F841F10_2_047F841F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A100210_2_048A1002
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB09010_2_047FB090
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E0D2010_2_047E0D20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EF90010_2_047EF900
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FD5E010_2_047FD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480412010_2_04804120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B1D5510_2_048B1D55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04806E3010_2_04806E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481EBB010_2_0481EBB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AE87210_2_029AE872
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02999E1A10_2_02999E1A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02999E6010_2_02999E60
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02992FB010_2_02992FB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD72A10_2_029AD72A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02992D9010_2_02992D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015EB150 appears 35 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 047EB150 appears 32 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A360 NtCreateFile,6_2_0041A360
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A410 NtReadFile,6_2_0041A410
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A490 NtClose,6_2_0041A490
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,6_2_0041A540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A35A NtCreateFile,6_2_0041A35A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A53A NtAllocateVirtualMemory,6_2_0041A53A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01629910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016299A0 NtCreateSection,LdrInitializeThunk,6_2_016299A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629860 NtQuerySystemInformation,LdrInitializeThunk,6_2_01629860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629840 NtDelayExecution,LdrInitializeThunk,6_2_01629840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016298F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_016298F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A50 NtCreateFile,LdrInitializeThunk,6_2_01629A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A20 NtResumeThread,LdrInitializeThunk,6_2_01629A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01629A00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629540 NtReadFile,LdrInitializeThunk,6_2_01629540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016295D0 NtClose,LdrInitializeThunk,6_2_016295D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629710 NtQueryInformationToken,LdrInitializeThunk,6_2_01629710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016297A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_016297A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629780 NtMapViewOfSection,LdrInitializeThunk,6_2_01629780
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01629660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016296E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_016296E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629950 NtQueueApcThread,6_2_01629950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016299D0 NtCreateProcessEx,6_2_016299D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162B040 NtSuspendThread,6_2_0162B040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629820 NtEnumerateKey,6_2_01629820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016298A0 NtWriteVirtualMemory,6_2_016298A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629B00 NtSetValueKey,6_2_01629B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162A3B0 NtGetContextThread,6_2_0162A3B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A10 NtQuerySection,6_2_01629A10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A80 NtOpenDirectoryObject,6_2_01629A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629560 NtWriteFile,6_2_01629560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629520 NtWaitForSingleObject,6_2_01629520
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162AD30 NtSetContextThread,6_2_0162AD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016295F0 NtQueryInformationFile,6_2_016295F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629760 NtOpenProcess,6_2_01629760
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629770 NtSetInformationFile,6_2_01629770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162A770 NtOpenThread,6_2_0162A770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629730 NtQueryVirtualMemory,6_2_01629730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162A710 NtOpenProcessToken,6_2_0162A710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629FE0 NtCreateMutant,6_2_01629FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629670 NtQueryInformationProcess,6_2_01629670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629650 NtQueryValueKey,6_2_01629650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629610 NtEnumerateValueKey,6_2_01629610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016296D0 NtCreateKey,6_2_016296D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829840 NtDelayExecution,LdrInitializeThunk,10_2_04829840
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04829860
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048299A0 NtCreateSection,LdrInitializeThunk,10_2_048299A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048295D0 NtClose,LdrInitializeThunk,10_2_048295D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04829910
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829540 NtReadFile,LdrInitializeThunk,10_2_04829540
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048296D0 NtCreateKey,LdrInitializeThunk,10_2_048296D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048296E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_048296E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829650 NtQueryValueKey,LdrInitializeThunk,10_2_04829650
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A50 NtCreateFile,LdrInitializeThunk,10_2_04829A50
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04829660
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829780 NtMapViewOfSection,LdrInitializeThunk,10_2_04829780
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829FE0 NtCreateMutant,LdrInitializeThunk,10_2_04829FE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829710 NtQueryInformationToken,LdrInitializeThunk,10_2_04829710
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048298A0 NtWriteVirtualMemory,10_2_048298A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048298F0 NtReadVirtualMemory,10_2_048298F0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829820 NtEnumerateKey,10_2_04829820
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482B040 NtSuspendThread,10_2_0482B040
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048299D0 NtCreateProcessEx,10_2_048299D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048295F0 NtQueryInformationFile,10_2_048295F0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829520 NtWaitForSingleObject,10_2_04829520
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482AD30 NtSetContextThread,10_2_0482AD30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829950 NtQueueApcThread,10_2_04829950
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829560 NtWriteFile,10_2_04829560
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A80 NtOpenDirectoryObject,10_2_04829A80
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A00 NtProtectVirtualMemory,10_2_0482