Analysis Report Quotation Reques.exe

Overview

General Information

Sample Name:	Quotation Reques.exe
Analysis ID:	356530
MD5:	5a752fcd71acb65c618a829610b7b7e1
SHA1:	1e0608c292a70e30f75308255d6039a8ca373d8a
SHA256:	d96042b51f171f68a99d4568f311f267fe595df0add3851e162cbcee7f897edb
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://www.thisisauckland.com/0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0

Avira URL Cloud: Label: malware

Found malware configuration

Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.valiantbranch.com/0wdn/"], "decoy": ["inclusivefamilybookshop.com", "hollyjmillsphotography.com", "mojavewellnessaz.com", "cookies-x.info", "trainingkanban.com", "tempoborough.life", "mayalv.com", "mbsgiftstore.com", "vanjele.com", "serieshaha.com", "jlbstructural.com", "topkids.asia", "thejoyofleather.com", "qvujxa.com", "anythinginworld.com", "danielablason.com", "smartphoneloops.com", "thisisauckland.com", "cityelectricals.com", "revati-thenoir.com", "beinglean.net", "bingomix.net", "africaglobalexim.com", "wayncalstore.com", "instentinotice.com", "wertzdesign.com", "mathewshea.world", "thedesailldada.com", "elinecoin.com", "xlkefu2.com", "nkdesigner.com", "0galleries.com", "ladresse-conceptpremium.com", "farrellforlegislature.com", "sphenecouture.com", "myloverhuier.com", "buildermarketingprogram.com", "ketonesconnect.com", "into.house", "crowdcrew.info", "inbox.ventures", "photomaker.pro", "homeswithkj.com", "companyincorporationlanka.com", "curbsidechauffeur.com", "xiangoshi.com", "n95brokers.com", "gurumanindustries.com", "calicarwraps.com", "shreeradheyassociates.com", "shopkonfection.com", "jadepalance.com", "videorv.com", "razpah.com", "redchillileeds.com", "samcarrt.com", "humangreens.com", "ficuswildlife.com", "dorteklarskov.com", "quitlikeaqueen.com", "shreedurgastore.com", "diabetessurgeryturkey.com", "promotionalplacements.com", "mercycaremanagement.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ftkqUsB.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: Quotation Reques.exe	Virustotal: Detection: 26%			Perma Link
Source: Quotation Reques.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ftkqUsB.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Quotation Reques.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.Quotation Reques.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Quotation Reques.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Quotation Reques.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: Quotation Reques.exe, 00000006.00000002.299728528.000000000126F000.00000040.00000001.sdmp, cmd.exe, 00000010.00000002.494308304.00000000030AF000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdbUGP source: Quotation Reques.exe, 00000006.00000002.300094599.0000000002D10000.00000040.00000001.sdmp, cmd.exe, 00000010.00000002.490096400.0000000000380000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Quotation Reques.exe, cmd.exe
Source:	Binary string: cmd.pdb source: Quotation Reques.exe, 00000006.00000002.300094599.0000000002D10000.00000040.00000001.sdmp, cmd.exe

Spreading:

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0039245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	16_2_0039245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003968BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	16_2_003968BA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0038B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	16_2_0038B89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003885EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	16_2_003885EA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003A31DC FindFirstFileW,FindNextFileW,FindClose,	16_2_003A31DC

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_06B3EF30
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_06B3F220
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_06B3FE38
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_06B3FA20
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 4x nop then pop ebx	6_2_00406A9A
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 4x nop then pop edi	6_2_0041569C

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.valiantbranch.com/0wdn/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1 HTTP/1.1Host: www.mojavewellnessaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Us HTTP/1.1Host: www.ficuswildlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.thisisauckland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.trainingkanban.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt HTTP/1.1Host: www.sphenecouture.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA0 HTTP/1.1Host: www.dorteklarskov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.gurumanindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 194.9.94.85 194.9.94.85

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: LOOPIASE LOOPIASE
Source: Joe Sandbox View	ASN Name: KRYSTALGR KRYSTALGR
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE

Source: global traffic	HTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1 HTTP/1.1Host: www.mojavewellnessaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Us HTTP/1.1Host: www.ficuswildlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.thisisauckland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.trainingkanban.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt HTTP/1.1Host: www.sphenecouture.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA0 HTTP/1.1Host: www.dorteklarskov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.gurumanindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.diabetessurgeryturkey.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 08:39:53 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Length: 1699Content-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 32 38 32 65 36 3b 0a 20 20 74

Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/extra_pages/website.svg
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/footer/logo-grey.png
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Quotation Reques.exe, 00000000.00000002.250833656.0000000000779000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Source: Quotation Reques.exe, LogIn.cs	Long String: Length: 13656
Source: ftkqUsB.exe.0.dr, LogIn.cs	Long String: Length: 13656
Source: 0.2.Quotation Reques.exe.90000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 0.0.Quotation Reques.exe.90000.0.unpack, LogIn.cs	Long String: Length: 13656
Source: 6.2.Quotation Reques.exe.660000.1.unpack, LogIn.cs	Long String: Length: 13656
Source: 6.0.Quotation Reques.exe.660000.0.unpack, LogIn.cs	Long String: Length: 13656

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation Reques.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_004181D0 NtCreateFile,	6_2_004181D0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_00418280 NtReadFile,	6_2_00418280
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_00418300 NtClose,	6_2_00418300
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_004183B0 NtAllocateVirtualMemory,	6_2_004183B0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_004181CA NtCreateFile,	6_2_004181CA
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041827A NtReadFile,	6_2_0041827A
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_00418222 NtCreateFile,	6_2_00418222
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_004182FA NtClose,	6_2_004182FA
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_004183AC NtAllocateVirtualMemory,	6_2_004183AC
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041842A NtAllocateVirtualMemory,	6_2_0041842A
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_011B9910
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9540 NtReadFile,LdrInitializeThunk,	6_2_011B9540
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B99A0 NtCreateSection,LdrInitializeThunk,	6_2_011B99A0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B95D0 NtClose,LdrInitializeThunk,	6_2_011B95D0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9840 NtDelayExecution,LdrInitializeThunk,	6_2_011B9840
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_011B9860
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B98F0 NtReadVirtualMemory,LdrInitializeThunk,	6_2_011B98F0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9710 NtQueryInformationToken,LdrInitializeThunk,	6_2_011B9710
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9780 NtMapViewOfSection,LdrInitializeThunk,	6_2_011B9780
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B97A0 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_011B97A0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9FE0 NtCreateMutant,LdrInitializeThunk,	6_2_011B9FE0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9A00 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_011B9A00
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9A20 NtResumeThread,LdrInitializeThunk,	6_2_011B9A20
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9A50 NtCreateFile,LdrInitializeThunk,	6_2_011B9A50
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_011B9660
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_011B96E0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011BAD30 NtSetContextThread,	6_2_011BAD30
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9520 NtWaitForSingleObject,	6_2_011B9520
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9950 NtQueueApcThread,	6_2_011B9950
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9560 NtWriteFile,	6_2_011B9560
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B99D0 NtCreateProcessEx,	6_2_011B99D0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B95F0 NtQueryInformationFile,	6_2_011B95F0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9820 NtEnumerateKey,	6_2_011B9820
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011BB040 NtSuspendThread,	6_2_011BB040
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B98A0 NtWriteVirtualMemory,	6_2_011B98A0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011BA710 NtOpenProcessToken,	6_2_011BA710
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9B00 NtSetValueKey,	6_2_011B9B00
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9730 NtQueryVirtualMemory,	6_2_011B9730
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9770 NtSetInformationFile,	6_2_011B9770
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011BA770 NtOpenThread,	6_2_011BA770
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9760 NtOpenProcess,	6_2_011B9760
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011BA3B0 NtGetContextThread,	6_2_011BA3B0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9610 NtEnumerateValueKey,	6_2_011B9610
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9A10 NtQuerySection,	6_2_011B9A10
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9650 NtQueryValueKey,	6_2_011B9650
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9670 NtQueryInformationProcess,	6_2_011B9670
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B9A80 NtOpenDirectoryObject,	6_2_011B9A80
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011B96D0 NtCreateKey,	6_2_011B96D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0038B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,	16_2_0038B42E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003884BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	16_2_003884BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003858A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	16_2_003858A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0038B4F8 NtQueryInformationToken,NtQueryInformationToken,	16_2_0038B4F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0038B4C0 NtQueryInformationToken,	16_2_0038B4C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003A6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	16_2_003A6D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003AB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	16_2_003AB5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003A9AB4 NtSetInformationFile,	16_2_003A9AB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003883F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	16_2_003883F2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9A50 NtCreateFile,LdrInitializeThunk,	16_2_02FF9A50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9860 NtQuerySystemInformation,LdrInitializeThunk,	16_2_02FF9860
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9840 NtDelayExecution,LdrInitializeThunk,	16_2_02FF9840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF99A0 NtCreateSection,LdrInitializeThunk,	16_2_02FF99A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_02FF9910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF96E0 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_02FF96E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF96D0 NtCreateKey,LdrInitializeThunk,	16_2_02FF96D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9FE0 NtCreateMutant,LdrInitializeThunk,	16_2_02FF9FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9780 NtMapViewOfSection,LdrInitializeThunk,	16_2_02FF9780
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9710 NtQueryInformationToken,LdrInitializeThunk,	16_2_02FF9710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF95D0 NtClose,LdrInitializeThunk,	16_2_02FF95D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9540 NtReadFile,LdrInitializeThunk,	16_2_02FF9540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9A80 NtOpenDirectoryObject,	16_2_02FF9A80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9A20 NtResumeThread,	16_2_02FF9A20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9A10 NtQuerySection,	16_2_02FF9A10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9A00 NtProtectVirtualMemory,	16_2_02FF9A00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FFA3B0 NtGetContextThread,	16_2_02FFA3B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9B00 NtSetValueKey,	16_2_02FF9B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF98F0 NtReadVirtualMemory,	16_2_02FF98F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF98A0 NtWriteVirtualMemory,	16_2_02FF98A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FFB040 NtSuspendThread,	16_2_02FFB040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9820 NtEnumerateKey,	16_2_02FF9820
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF99D0 NtCreateProcessEx,	16_2_02FF99D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9950 NtQueueApcThread,	16_2_02FF9950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9670 NtQueryInformationProcess,	16_2_02FF9670
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9660 NtAllocateVirtualMemory,	16_2_02FF9660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9650 NtQueryValueKey,	16_2_02FF9650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9610 NtEnumerateValueKey,	16_2_02FF9610
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF97A0 NtUnmapViewOfSection,	16_2_02FF97A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FFA770 NtOpenThread,	16_2_02FFA770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9770 NtSetInformationFile,	16_2_02FF9770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9760 NtOpenProcess,	16_2_02FF9760
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9730 NtQueryVirtualMemory,	16_2_02FF9730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FFA710 NtOpenProcessToken,	16_2_02FFA710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF95F0 NtQueryInformationFile,	16_2_02FF95F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9560 NtWriteFile,	16_2_02FF9560
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FFAD30 NtSetContextThread,	16_2_02FFAD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FF9520 NtWaitForSingleObject,	16_2_02FF9520

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_00396550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

16_2_00396550

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_0039374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

16_2_0039374E

Detected potential crypto function

Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 0_2_00A1C2B0	0_2_00A1C2B0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 0_2_00A19990	0_2_00A19990
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 0_2_06B30040	0_2_06B30040
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 0_2_06B32EB8	0_2_06B32EB8
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 0_2_06B32EA7	0_2_06B32EA7
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 0_2_06B32C68	0_2_06B32C68
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 0_2_06B32C58	0_2_06B32C58
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 0_2_06B30D88	0_2_06B30D88
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 0_2_06B3FA20	0_2_06B3FA20
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041B862	6_2_0041B862
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041C864	6_2_0041C864
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_004012FB	6_2_004012FB
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041BB26	6_2_0041BB26
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_00408C6B	6_2_00408C6B
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_00408C70	6_2_00408C70
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041CC1E	6_2_0041CC1E
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041CE55	6_2_0041CE55
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041CFEB	6_2_0041CFEB
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0117F900	6_2_0117F900
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_01242D07	6_2_01242D07
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_01170D20	6_2_01170D20
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_01194120	6_2_01194120
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_01241D55	6_2_01241D55
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011A2581	6_2_011A2581
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0118D5E0	6_2_0118D5E0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_012425DD	6_2_012425DD
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0118841F	6_2_0118841F
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_01231002	6_2_01231002
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0123D466	6_2_0123D466
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0118B090	6_2_0118B090
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_012420A8	6_2_012420A8
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011A20A0	6_2_011A20A0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_012428EC	6_2_012428EC
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_01242B28	6_2_01242B28
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011AEBB0	6_2_011AEBB0
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_01241FF1	6_2_01241FF1
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0123DBD2	6_2_0123DBD2
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_01196E30	6_2_01196E30
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_012422AE	6_2_012422AE
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_01242EF7	6_2_01242EF7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0038D803	16_2_0038D803
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0038E040	16_2_0038E040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00389CF0	16_2_00389CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003A5CEA	16_2_003A5CEA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003848E6	16_2_003848E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003A3506	16_2_003A3506
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00391969	16_2_00391969
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00396550	16_2_00396550
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00387190	16_2_00387190
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003A31DC	16_2_003A31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0038FA30	16_2_0038FA30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00385226	16_2_00385226
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00385E70	16_2_00385E70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00388AD7	16_2_00388AD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0038CB48	16_2_0038CB48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003A6FF0	16_2_003A6FF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00395FC8	16_2_00395FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03082B28	16_2_03082B28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0307DBD2	16_2_0307DBD2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_030703DA	16_2_030703DA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FEEBB0	16_2_02FEEBB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_030822AE	16_2_030822AE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FE20A0	16_2_02FE20A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FCB090	16_2_02FCB090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03071002	16_2_03071002
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0308E824	16_2_0308E824
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_030820A8	16_2_030820A8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FD4120	16_2_02FD4120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_030828EC	16_2_030828EC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FBF900	16_2_02FBF900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0308DFCE	16_2_0308DFCE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FD6E30	16_2_02FD6E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03081FF1	16_2_03081FF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0307D616	16_2_0307D616
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03082EF7	16_2_03082EF7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03082D07	16_2_03082D07
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_03081D55	16_2_03081D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_030825DD	16_2_030825DD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FC841F	16_2_02FC841F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FCD5E0	16_2_02FCD5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0307D466	16_2_0307D466
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FE2581	16_2_02FE2581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_02FB0D20	16_2_02FB0D20

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: String function: 0117B150 appears 35 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 02FBB150 appears 35 times

Sample file is different than original file name gathered from version info

Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000000.00000002.260917358.0000000008520000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000000.00000002.261409049.0000000008900000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000000.00000002.261409049.0000000008900000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000000.00000002.261136477.0000000008800000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000000.00000002.250833656.0000000000779000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000000.00000002.260463559.0000000008360000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000000.00000002.257804637.0000000006B50000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRIPEMD160.exe6 vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000006.00000002.295518659.00000000006D8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRIPEMD160.exe6 vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000006.00000002.300144272.0000000002D5D000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs Quotation Reques.exe
Source: Quotation Reques.exe, 00000006.00000002.299930455.00000000013FF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation Reques.exe
Source: Quotation Reques.exe	Binary or memory string: OriginalFilenameRIPEMD160.exe6 vs Quotation Reques.exe

Uses 32bit PE files

Source: Quotation Reques.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Quotation Reques.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ftkqUsB.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Quotation Reques.exe, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: ftkqUsB.exe.0.dr, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.Quotation Reques.exe.90000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.Quotation Reques.exe.90000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 6.2.Quotation Reques.exe.660000.1.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 6.0.Quotation Reques.exe.660000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@14/7

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_0038C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,

16_2_0038C5CA

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 16_2_003AA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

16_2_003AA0D2

Source: C:\Users\user\Desktop\Quotation Reques.exe

File created: C:\Users\user\AppData\Roaming\ftkqUsB.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: unknown	Process created: C:\Users\user\Desktop\Quotation Reques.exe 'C:\Users\user\Desktop\Quotation Reques.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Quotation Reques.exe C:\Users\user\Desktop\Quotation Reques.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Quotation Reques.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process created: C:\Users\user\Desktop\Quotation Reques.exe C:\Users\user\Desktop\Quotation Reques.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Quotation Reques.exe'	Jump to behavior

Source: Quotation Reques.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ftkqUsB.exe.0.dr, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Quotation Reques.exe.90000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Quotation Reques.exe.90000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.Quotation Reques.exe.660000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.Quotation Reques.exe.660000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041B3C5 push eax; ret	6_2_0041B418
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041B47C push eax; ret	6_2_0041B482
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041B412 push eax; ret	6_2_0041B418
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041B41B push eax; ret	6_2_0041B482
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_0041363A push 2B6D3EBBh; ret	6_2_0041363F
Source: C:\Users\user\Desktop\Quotation Reques.exe	Code function: 6_2_011CD0D1 push ecx; ret	6_2_011CD0E4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003976BD push ecx; ret	16_2_003976D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_003976D1 push ecx; ret	16_2_003976E4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_0300D0D1 push ecx; ret	16_2_0300D0E4

Source: initial sample	Static PE information: section name: .text entropy: 7.41809908536
Source: initial sample	Static PE information: section name: .text entropy: 7.41809908536

Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252016521.00000000025CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation Reques.exe PID: 6476, type: MEMORY
Source: Yara match	File source: 0.2.Quotation Reques.exe.25b68bc.1.raw.unpack, type: UNPACKEDPE

Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Quotation Reques.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Quotation Reques.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000027A85F4 second address: 00000000027A85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000027A898E second address: 00000000027A8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Quotation Reques.exe TID: 6480	Thread sleep time: -103883s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe TID: 6508	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1260	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 6804	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.275750428.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000007.00000000.276205603.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000007.00000002.499562752.0000000003767000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000007.00000000.255979179.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000007.00000000.276290467.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000007.00000002.492781138.00000000011EE000.00000004.00000020.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqq
Source: explorer.exe, 00000007.00000000.275750428.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000007.00000002.505306123.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000007.00000000.275750428.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000007.00000000.276290467.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.275750428.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Quotation Reques.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Quotation Reques.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00397310 SetUnhandledExceptionFilter,		16_2_00397310
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 16_2_00396FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		16_2_00396FE3

Source: C:\Windows\explorer.exe	Network Connect: 194.9.94.85 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 77.72.1.202 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.133.87 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 194.59.164.34 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 138.197.103.178 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.180.46.143 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 51.83.43.226 80	Jump to behavior

Source: C:\Users\user\Desktop\Quotation Reques.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Quotation Reques.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\Quotation Reques.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3472			Jump to behavior

Analysis Report Quotation Reques.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: explorer.exe, 00000007.00000000.271852974.0000000005EA0000.00000004.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.493320852.0000000001640000.00000002.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.493320852.0000000001640000.00000002.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000007.00000002.491976988.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000007.00000002.493320852.0000000001640000.00000002.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000007.00000002.493320852.0000000001640000.00000002.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	16_2_003896A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	16_2_00385AEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	16_2_00393F80

IP	Domain	Country	ASN	ASN Name	Malicious
194.9.94.85	unknown	Sweden	39570	LOOPIASE	true
77.72.1.202	unknown	United Kingdom	12488	KRYSTALGR	true
160.153.133.87	unknown	United States	21501	GODADDY-AMSDE	true
51.83.43.226	unknown	France	16276	OVHFR	true
194.59.164.34	unknown	Germany	47583	AS-HOSTINGERLT	true
138.197.103.178	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
107.180.46.143	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

Name	IP	Active
thisisauckland.com	77.72.1.202	true
www.buildermarketingprogram.com	208.97.149.17	true
sphenecouture.com	160.153.133.87	true
www.trainingkanban.com	51.83.43.226	true
www.ficuswildlife.com	138.197.103.178	true
www.dorteklarskov.com	194.9.94.85	true
gurumanindustries.com	194.59.164.34	true
mojavewellnessaz.com	107.180.46.143	true
www.vanjele.com	unknown	unknown
www.mojavewellnessaz.com	unknown	unknown
www.sphenecouture.com	unknown	unknown
www.diabetessurgeryturkey.com	unknown	unknown
www.xlkefu2.com	unknown	unknown
www.thisisauckland.com	unknown	unknown
www.gurumanindustries.com	unknown	unknown
www.topkids.asia	unknown	unknown
www.thedesailldada.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.thisisauckland.com/0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0	true	Avira URL Cloud: malware	unknown
http://www.gurumanindustries.com/0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf0	true	Avira URL Cloud: safe	unknown
http://www.sphenecouture.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt	true	Avira URL Cloud: safe	unknown
http://www.ficuswildlife.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Us	true	Avira URL Cloud: safe	unknown
http://www.mojavewellnessaz.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1	true	Avira URL Cloud: safe	unknown
http://www.dorteklarskov.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA0	true	Avira URL Cloud: safe	unknown
www.valiantbranch.com/0wdn/	true	Avira URL Cloud: safe	low
http://www.trainingkanban.com/0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0	true	Avira URL Cloud: safe	unknown

ID:	356530
Product:	CloudBasic
Start time:	09:37:21
Start date:	23.02.2021
Sample:	Quotation Reques.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5a752fcd71acb65c618a829610b7b7e1
SHA1:	1e0608c292a70e30f75308255d6039a8ca373d8a
SHA256:	d96042b51f171f68a99d4568f311f267fe595df0add3851e162cbcee7f897edb
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation Reques.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmp1923.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	1BF9853001A0DBB1C19F15A6EDE92E65	45EF1D7D64F2994F602A2C78AAD375C35315BD52	72F2B78F4787E9E88D4FF93F0585158549D64E309E310AE31A0C5DB83DC8680B
C:\Users\user\AppData\Roaming\ftkqUsB.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	5A752FCD71ACB65C618A829610B7B7E1	1E0608C292A70E30F75308255D6039A8CA373D8A	D96042B51F171F68A99D4568F311F267FE595DF0ADD3851E162CBCEE7F897EDB
C:\Users\user\AppData\Roaming\ftkqUsB.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309