Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Sample Name:Purchase Order 40,7045$.exe
Analysis ID:321389
MD5:ba4f1b472cb69d8a3924d88dacf1b833
SHA1:622cdccdc0f020d368a87c5eff9ec1a1259e21c7
SHA256:2a694c3a8347816b2f85e036b1064e410ad1578185a0608416944199ef72b82c
Tags:exeFormbookYahoo

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase Order 40,7045$.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: BA4F1B472CB69D8A3924D88DACF1B833)
    • MSBuild.exe (PID: 6748 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 7048 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6200 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16089:$sqlite3step: 68 34 1C 7B E1
    • 0x1619c:$sqlite3step: 68 34 1C 7B E1
    • 0x160b8:$sqlite3text: 68 38 2A 90 C5
    • 0x161dd:$sqlite3text: 68 38 2A 90 C5
    • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.MSBuild.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.MSBuild.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.MSBuild.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15289:$sqlite3step: 68 34 1C 7B E1
        • 0x1539c:$sqlite3step: 68 34 1C 7B E1
        • 0x152b8:$sqlite3text: 68 38 2A 90 C5
        • 0x153dd:$sqlite3text: 68 38 2A 90 C5
        • 0x152cb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x153f3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.MSBuild.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.allmm.info/igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0Avira URL Cloud: Label: malware
          Source: http://www.forbigdogs.com/igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0Avira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 18%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Purchase Order 40,7045$.exeJoe Sandbox ML: detected
          Source: 1.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49747
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49756
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49758
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49759
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allan-wren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.theoutdoorbed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.pasumaisangam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.lotoencasa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.guidesgold.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.thoughtslate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.erpsystem.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.forbigdogs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.rockinglifefromhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allmm.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 81.169.145.95 81.169.145.95
          Source: Joe Sandbox ViewIP Address: 185.201.11.126 185.201.11.126
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: IOFLOODUS IOFLOODUS
          Source: unknownTCP traffic detected without corresponding DNS query: 104.42.151.234
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 104.79.89.181
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
          Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 40.67.254.36
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 40.67.254.36
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 104.79.89.181
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allan-wren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.theoutdoorbed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.pasumaisangam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.lotoencasa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.guidesgold.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.thoughtslate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.erpsystem.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.forbigdogs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.rockinglifefromhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allmm.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 21 Nov 2020 08:24:27 GMTServer: Apache/2.4.43 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259665211.0000000000F88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase Order 40,7045$.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417BA0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417C50 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417CD0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417D80 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417C4C NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417CCA NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015299D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015298A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015295F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015296D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048195D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048196D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048195F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819560 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048197A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048198A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048198F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048199D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677BA0 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677C50 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677CD0 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677D80 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677C4C NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677CCA NtClose,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130EB70
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130EB60
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130CB5C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041C16E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00408A40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00408A3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041C52F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00402D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041BF03
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015BE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015120A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015ADBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151ABD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015923E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0159FA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D82
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AD466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015BDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01506E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489D466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04802581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A25DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047D0D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A2D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047ED5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F6E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489D616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048ADFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A1FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048020A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FA830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A28EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048AE824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047EB090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F4120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047DF900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F99BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A22AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0488FA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0480EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FAB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048903DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489DBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A2B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067C16E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00668A40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00668A3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067C52F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00662D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00662D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067BF03
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00662FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 014EB150 appears 136 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 047DB150 appears 72 times
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259665211.0000000000F88000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000000.00000000.253166993.0000000000812000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exeBinary or memory string: OriginalFilename vs Purchase Order 40,7045$.exe
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: *.sln
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: MSBuild MyApp.csproj /t:Clean
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: /ignoreprojectextensions:.sln
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@16/11
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order 40,7045$.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01
          Source: Purchase Order 40,7045$.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase Order 40,7045$.exe, 00000000.00000000.253166993.0000000000812000.00000002.00020000.sdmpBinary or memory string: UPDATE [sms].[dbo].[person]set email=@email, street=@street, city=@city, district=@district, zip=@zip WHERE id=;Student Information updated!!
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Purchase Order 40,7045$.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Purchase Order 40,7045$.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: Purchase Order 40,7045$.exeStatic file information: File size 1269760 > 1048576
          Source: Purchase Order 40,7045$.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x135800
          Source: Purchase Order 40,7045$.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000001.00000002.289628195.00000000014C0000.00000040.00000001.sdmp, raserver.exe, 00000006.00000002.522839886.00000000047B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MSBuild.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: MSBuild.exe, 00000001.00000002.289540169.0000000001229000.00000004.00000020.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp
          Source: Binary string: RAServer.pdbGCTL source: MSBuild.exe, 00000001.00000002.289540169.0000000001229000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Purchase Order 40,7045$.exe, a?opP?s???y/WD??v?aA?O.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Purchase Order 40,7045$.exe.810000.0.unpack, a?opP?s???y/WD??v?aA?O.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130DF50 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00415913 push edx; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041AC62 push D8D19732h; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414D57 push esi; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041AD65 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414DEA push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041ADB2 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041ADBB push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414E7E push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041AE1C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414E24 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0040FF92 push 00000033h; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0153D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0482D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00675913 push edx; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067AC62 push D8D19732h; iretd
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067AD65 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674D57 push esi; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674DEA push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067ADB2 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067ADBB push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674E7E push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674E24 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067AE1C push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0066FF92 push 00000033h; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.30520133301
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Purchase Order 40,7045$.exe PID: 6708, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000006683D4 second address: 00000000006683DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 000000000066876E second address: 0000000000668774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_004086A0 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe TID: 6740Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe TID: 6712Thread sleep time: -41500s >= -30000s
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe TID: 6728Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6596Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6136Thread sleep time: -52000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.274511209.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.265134044.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000003.00000002.522311765.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.274567797.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000003.00000002.531888786.00000000053D7000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.274567797.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_004086A0 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00409900 LdrLoadDll,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01500050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01500050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode funct